| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Jun 2024 15:27:37 +0000 From: Roman Smirnov <r.smirnov@....ru> To: "kbusch@...nel.org" <kbusch@...nel.org> CC: Karina Yankevich <k.yankevich@....ru>, "lvc-patches@...uxtesting.org" <lvc-patches@...uxtesting.org>, "axboe@...nel.dk" <axboe@...nel.dk>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-block@...r.kernel.org" <linux-block@...r.kernel.org>, Sergey Shtylyov <s.shtylyov@....ru> Subject: Re: [bug report] block: integer overflow in __bvec_gap_to_prev() On Tue, 2024-06-11 at 09:15 -0600, Keith Busch wrote: > On Tue, Jun 11, 2024 at 02:23:48PM +0000, Roman Smirnov wrote: > > Hello. > > > > There is a case of integer overflow in __bvec_gap_to_prev(): > > > > ((bprv->bv_offset + bprv->bv_len) & lim->virt_boundary_mask); > > > > bio_vec can cross multiple pages: > > > > https://lore.kernel.org/lkml/20190215111324.30129-1-ming.lei@redhat.com/t/ > > > > So, in case bio has one bio_vec bv_len can have a maximum value of UINT_MAX. > > The check happens in bio_full(). In the case when bv_len is equal to > > UINT_MAX and bv_offset is greater than zero, an overflow may occur. > > Does it matter? The lower bits checked against the mask should be the > same regardless of overflow. There are several other places where this kind of thing happens: https://elixir.bootlin.com/linux/latest/source/block/blk-merge.c#L292 https://elixir.bootlin.com/linux/latest/source/block/blk.h#L331 I think in those cases overflow would make a difference. I also found a comment before __bio_add_page(). It says that the caller should watch out for free space in bio: https://elixir.bootlin.com/linux/latest/source/block/bio.c#L1075 But what happens if it doesn't keep a check on it? Such code won't get into the kernel?
Powered by blists - more mailing lists