| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bbf929d6-18d2-4b7e-a660-a19460af0a3c@moroto.mountain>
Date: Thu, 9 May 2024 13:48:05 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Trond Myklebust <Trond.Myklebust@...app.com>
Cc: Chuck Lever <chuck.lever@...cle.com>, Jeff Layton <jlayton@...nel.org>,
Neil Brown <neilb@...e.de>, Olga Kornievskaia <kolga@...app.com>,
Dai Ngo <Dai.Ngo@...cle.com>, Tom Talpey <tom@...pey.com>,
Trond Myklebust <trond.myklebust@...merspace.com>,
Anna Schumaker <anna@...nel.org>, linux-nfs@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH 1/2] SUNRPC: prevent integer overflow in XDR_QUADLEN()
The "l + 3" addition can have integer overflow on 32 bit systems
when it is used in __xdr_inline_decode(). The overflowed value
would be zero and the check "nwords > xdr->nwords" would not work
as intended.
Fixes: ba8e452a4fe6 ("SUNRPC: Add a helper function xdr_inline_peek")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
include/linux/sunrpc/xdr.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index 2f8dc47f1eb0..585059f2afca 100644
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -14,6 +14,7 @@
#include <linux/uio.h>
#include <asm/byteorder.h>
#include <asm/unaligned.h>
+#include <linux/overflow.h>
#include <linux/scatterlist.h>
struct bio_vec;
@@ -29,7 +30,7 @@ struct rpc_rqst;
/*
* Buffer adjustment
*/
-#define XDR_QUADLEN(l) (((l) + 3) >> 2)
+#define XDR_QUADLEN(l) (size_add(l, 3) >> 2)
/*
* Generic opaque `network object.'
--
2.43.0
Powered by blists - more mailing lists