| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZmhqFLdCW6aXriqP@kbusch-mbp.dhcp.thefacebook.com> Date: Tue, 11 Jun 2024 09:15:32 -0600 From: Keith Busch <kbusch@...nel.org> To: Roman Smirnov <r.smirnov@....ru> Cc: "axboe@...nel.dk" <axboe@...nel.dk>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-block@...r.kernel.org" <linux-block@...r.kernel.org>, Karina Yankevich <k.yankevich@....ru>, "lvc-patches@...uxtesting.org" <lvc-patches@...uxtesting.org>, Sergey Shtylyov <s.shtylyov@....ru> Subject: Re: [bug report] block: integer overflow in __bvec_gap_to_prev() On Tue, Jun 11, 2024 at 02:23:48PM +0000, Roman Smirnov wrote: > Hello. > > There is a case of integer overflow in __bvec_gap_to_prev(): > > ((bprv->bv_offset + bprv->bv_len) & lim->virt_boundary_mask); > > bio_vec can cross multiple pages: > > https://lore.kernel.org/lkml/20190215111324.30129-1-ming.lei@redhat.com/t/ > > So, in case bio has one bio_vec bv_len can have a maximum value of UINT_MAX. > The check happens in bio_full(). In the case when bv_len is equal to > UINT_MAX and bv_offset is greater than zero, an overflow may occur. Does it matter? The lower bits checked against the mask should be the same regardless of overflow.
Powered by blists - more mailing lists