[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <755aa284-06f4-ee10-ec7b-0f69a1617349@i-love.sakura.ne.jp>
Date: Mon, 27 Sep 2021 20:16:59 +0900
From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To: Martijn Coenen <maco@...roid.com>, Arnd Bergmann <arnd@...nel.org>
Cc: Jens Axboe <axboe@...nel.dk>,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Arnd Bergmann <arnd@...db.de>,
Dan Schatzberg <schatzberg.dan@...il.com>,
linux-block <linux-block@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, llvm@...ts.linux.dev
Subject: Re: [PATCH] loop: avoid out-of-range warning
Well, you found a bug here.
lo_simple_ioctl(LOOP_SET_BLOCK_SIZE) passes "unsigned long arg" to
loop_validate_block_size() via loop_set_block_size(), and uses only
lower 32bits. "(lo->lo_queue->limits.logical_block_size == arg)" is
failing to "return 0;" if lower 32bits are the same but higher 32bits
are not 0. Shouldn't we also check that higher 32bits are 0, by either
making loop_validate_block_size() to accept "unsigned long" or making
loop_set_block_size() return -EINVAL if larger than UINT_MAX ?
> There is nothing wrong here, so just shut up the check by changing
> the type of the bsize argument.
I think there is something wrong here.
Since "unsigned short bsize" checked only lower 16bits, a fuzzer can
pass e.g. 0xDEAD0200 (which is not a is_power_of_2() 32bits value) to
blk_queue_logical_block_size(lo->lo_queue, arg);
blk_queue_physical_block_size(lo->lo_queue, arg);
blk_queue_io_min(lo->lo_queue, arg);
and confuse the system?
Powered by blists - more mailing lists