[<prev] [next>] [day] [month] [year] [list]
Message-ID: <84d54213-e093-4c6e-a126-4df1253ca73d@kadam.mountain>
Date: Fri, 3 Nov 2023 08:59:58 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: oe-kbuild@...ts.linux.dev, Kent Overstreet <kmo@...erainc.com>
Cc: lkp@...el.com, oe-kbuild-all@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: fs/bcachefs/chardev.c:391 bch2_ioctl_fs_usage() warn: check for
integer overflow 'replica_entries_bytes'
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 4652b8e4f3ffa48c706ec334f048c217a7d9750d
commit: 22502ac23a2eaa3714b77d4a9242df352a9cd0c0 bcachefs: Redo filesystem usage ioctls
config: x86_64-randconfig-161-20231102 (https://download.01.org/0day-ci/archive/20231103/202311030618.5bKFt0YI-lkp@intel.com/config)
compiler: gcc-7 (Ubuntu 7.5.0-6ubuntu2) 7.5.0
reproduce: (https://download.01.org/0day-ci/archive/20231103/202311030618.5bKFt0YI-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
| Closes: https://lore.kernel.org/r/202311030618.5bKFt0YI-lkp@intel.com/
New smatch warnings:
fs/bcachefs/chardev.c:391 bch2_ioctl_fs_usage() warn: check for integer overflow 'replica_entries_bytes'
Old smatch warnings:
fs/bcachefs/chardev.c:444 bch2_ioctl_fs_usage() warn: maybe return -EFAULT instead of the bytes remaining?
fs/bcachefs/chardev.c:524 bch2_ioctl_read_super() warn: maybe return -EFAULT instead of the bytes remaining?
vim +/replica_entries_bytes +391 fs/bcachefs/chardev.c
22502ac23a2eaa Kent Overstreet 2019-12-16 375 static long bch2_ioctl_fs_usage(struct bch_fs *c,
22502ac23a2eaa Kent Overstreet 2019-12-16 376 struct bch_ioctl_fs_usage __user *user_arg)
1c6fdbd8f2465d Kent Overstreet 2017-03-16 377 {
22502ac23a2eaa Kent Overstreet 2019-12-16 378 struct bch_ioctl_fs_usage *arg = NULL;
22502ac23a2eaa Kent Overstreet 2019-12-16 379 struct bch_replicas_usage *dst_e, *dst_end;
22502ac23a2eaa Kent Overstreet 2019-12-16 380 struct bch_fs_usage_online *src;
22502ac23a2eaa Kent Overstreet 2019-12-16 381 u32 replica_entries_bytes;
22502ac23a2eaa Kent Overstreet 2019-12-16 382 unsigned i;
22502ac23a2eaa Kent Overstreet 2019-12-16 383 int ret = 0;
1c6fdbd8f2465d Kent Overstreet 2017-03-16 384
1c6fdbd8f2465d Kent Overstreet 2017-03-16 385 if (!test_bit(BCH_FS_STARTED, &c->flags))
1c6fdbd8f2465d Kent Overstreet 2017-03-16 386 return -EINVAL;
1c6fdbd8f2465d Kent Overstreet 2017-03-16 387
22502ac23a2eaa Kent Overstreet 2019-12-16 388 if (get_user(replica_entries_bytes, &user_arg->replica_entries_bytes))
This comes from the user.
1c6fdbd8f2465d Kent Overstreet 2017-03-16 389 return -EFAULT;
1c6fdbd8f2465d Kent Overstreet 2017-03-16 390
22502ac23a2eaa Kent Overstreet 2019-12-16 @391 arg = kzalloc(sizeof(*arg) + replica_entries_bytes, GFP_KERNEL);
This can lead to an integer overflow on 32 bit systems.
This API is a bit problematice because we don't ensure that sizeof()
bytes is divisible by sizeof(struct bch_replicas_usage). Use
struct_size() or size_add() to fix the integer overflow.
22502ac23a2eaa Kent Overstreet 2019-12-16 392 if (!arg)
22502ac23a2eaa Kent Overstreet 2019-12-16 393 return -ENOMEM;
1c6fdbd8f2465d Kent Overstreet 2017-03-16 394
22502ac23a2eaa Kent Overstreet 2019-12-16 395 src = bch2_fs_usage_read(c);
22502ac23a2eaa Kent Overstreet 2019-12-16 396 if (!src) {
22502ac23a2eaa Kent Overstreet 2019-12-16 397 ret = -ENOMEM;
22502ac23a2eaa Kent Overstreet 2019-12-16 398 goto err;
1c6fdbd8f2465d Kent Overstreet 2017-03-16 399 }
1c6fdbd8f2465d Kent Overstreet 2017-03-16 400
22502ac23a2eaa Kent Overstreet 2019-12-16 401 arg->capacity = c->capacity;
22502ac23a2eaa Kent Overstreet 2019-12-16 402 arg->used = bch2_fs_sectors_used(c, src);
22502ac23a2eaa Kent Overstreet 2019-12-16 403 arg->online_reserved = src->online_reserved;
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists