| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Apr 2024 14:32:12 +0800 From: Sam Sun <samsun1006219@...il.com> To: Bart Van Assche <bvanassche@....org> Cc: linux-kernel@...r.kernel.org, martin.petersen@...cle.com, linux-scsi@...r.kernel.org, xrivendell7@...il.com, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH] drivers: scsi: fix shift-out-of-bounds in sg_build_indirect On Tue, Apr 16, 2024 at 1:26 AM Bart Van Assche <bvanassche@....org> wrote: > > On 4/14/24 20:14, Sam Sun wrote: > > - num = scatter_elem_sz; > > + num = max(scatter_elem_sz, PAGE_SIZE); > > Shouldn't the following statements be modified instead of the above > statement? I think these are the only statements that can cause > scatter_elem_sz to become smaller than PAGE_SIZE: > > scatter_elem_sz = ret_sz; > scatter_elem_sz_prev = ret_sz; > Yes, these statements are the only statements that modify scatter_elem_sz. However, ret_sz will never be less than PAGE_SIZE, since it is calculated by 1 << (PAGE_SIZE + order), and order will not be less than zero. So I think these statements do not need to be modified. scatter_elem_sz is also exported to userspace by sysfs interface (macro module_param_named()), and privileged users could modify it to any int they want. So I also set the exported type to uint in this patch. Should I also change the type of scatter_elem_sz and scatter_elem_sz_prev also to uint? Best Regards, Yue
Powered by blists - more mailing lists