lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <e2f72429-91c5-7140-c13d-35d4623092de@gmail.com>
Date:   Wed, 29 Sep 2021 20:45:17 +0300
From:   Tariq Toukan <ttoukan.linux@...il.com>
To:     Eric Dumazet <eric.dumazet@...il.com>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Tariq Toukan <tariqt@...dia.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Cc:     netdev@...r.kernel.org, linux-rdma@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH][net-next] net/mlx4: Use array_size() helper in
 copy_to_user()



On 9/29/2021 8:21 PM, Eric Dumazet wrote:
> 
> 
> On 9/29/21 3:24 AM, Tariq Toukan wrote:
>>
>>
>> On 9/28/2021 11:17 PM, Gustavo A. R. Silva wrote:
>>> Use array_size() helper instead of the open-coded version in
>>> copy_to_user(). These sorts of multiplication factors need
>>> to be wrapped in array_size().
>>>
>>> Link: https://github.com/KSPP/linux/issues/160
>>> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
>>> ---
>>>    drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++-
>>>    1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
>>> index f7053a74e6a8..4d4f9cf9facb 100644
>>> --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
>>> +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
>>> @@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
>>>                buf += PAGE_SIZE;
>>>            }
>>>        } else {
>>> -        err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ?
>>> +        err = copy_to_user((void __user *)buf, init_ents,
>>> +                   array_size(entries, cqe_size)) ?
>>>                -EFAULT : 0;
>>>        }
>>>   
>>
>> Thanks for your patch.
>> Reviewed-by: Tariq Toukan <tariqt@...dia.com>
> 
> Not sure why avoiding size_t overflows would make this code safer.
> init_ents contains PAGE_SIZE bytes...
> 
> BTW
> 
> Is @entries guaranteed to be a power of two ?

Yes.

> 
> This function seems to either copy one chunk ( <= PAGE_SIZE),
> or a number of full pages.
> 

Exactly. No remainder handling is needed, for the reason you mentioned 
above.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ