lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20220920150809.4014944-1-jiebin.sun@intel.com>
Date:   Tue, 20 Sep 2022 23:08:09 +0800
From:   Jiebin Sun <jiebin.sun@...el.com>
To:     akpm@...ux-foundation.org, vasily.averin@...ux.dev,
        shakeelb@...gle.com, dennis@...nel.org, tj@...nel.org,
        cl@...ux.com, ebiederm@...ssion.com, legion@...nel.org,
        manfred@...orfullife.com, alexander.mikhalitsyn@...tuozzo.com,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org
Cc:     tim.c.chen@...el.com, feng.tang@...el.com, ying.huang@...el.com,
        tianyou.li@...el.com, wangyang.guo@...el.com, jiebin.sun@...el.com,
        Manfred Spraul <manfred@...orfullif.com>,
        Tim Chen <tim.c.chen@...ux.intel.com>
Subject: [PATCH] ipc/msg: avoid negative value by overflow in msginfo

The 32-bit value in msginfo struct could be negative if we get it
from signed 64-bit. Clamping it to INT_MAX helps to avoid the
negative value by overflow.

Signed-off-by: Jiebin Sun <jiebin.sun@...el.com>
Reviewed-by: Manfred Spraul <manfred@...orfullif.com>
Reviewed-by: Tim Chen <tim.c.chen@...ux.intel.com>
---
 ipc/msg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipc/msg.c b/ipc/msg.c
index f2bb4c193ecf..65f437e28c9b 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -501,8 +501,8 @@ static int msgctl_info(struct ipc_namespace *ns, int msqid,
 	max_idx = ipc_get_maxidx(&msg_ids(ns));
 	up_read(&msg_ids(ns).rwsem);
 	if (cmd == MSG_INFO) {
-		msginfo->msgmap = percpu_counter_sum(&ns->percpu_msg_hdrs);
-		msginfo->msgtql = percpu_counter_sum(&ns->percpu_msg_bytes);
+		msginfo->msgmap = min(percpu_counter_sum(&ns->percpu_msg_hdrs), INT_MAX);
+		msginfo->msgtql = min(percpu_counter_sum(&ns->percpu_msg_bytes), INT_MAX);
 	} else {
 		msginfo->msgmap = MSGMAP;
 		msginfo->msgpool = MSGPOOL;
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ