| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240721201924.48781-2-dennis.lamerice@gmail.com>
Date: Sun, 21 Jul 2024 16:19:18 -0400
From: Dennis Lam <dennis.lamerice@...il.com>
To: iro@...iv.linux.org.uk,
viro@...iv.linux.org.uk
Cc: Dennis Lam <dennis.lamerice@...il.com>,
linux-kernel@...r.kernel.org,
syzbot+f2a9c06bfaa027217ebb@...kaller.appspotmail.com
Subject: [PATCH] btrfs: Change iov_iter_alignment_iovec to check iovec count before accesses an iovec
When checking iov_iter_alignment_iovec for valid read and the iovec is empty,
the function still tries to iterate non-existant values. In this case, the iov
variable is empty and attempting to use iov->iov_len causes a kernel crash.
This patch fixes this by checking the size of the iovec before iterating.
Signed-off-by: Dennis Lam <dennis.lamerice@...il.com>
---
lib/iov_iter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 4a6a9f419bd7..2d82ecf1b622 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -783,7 +783,7 @@ static unsigned long iov_iter_alignment_iovec(const struct iov_iter *i)
size_t size = i->count;
size_t skip = i->iov_offset;
- do {
+ while(size) {
size_t len = iov->iov_len - skip;
if (len) {
res |= (unsigned long)iov->iov_base + skip;
@@ -794,7 +794,7 @@ static unsigned long iov_iter_alignment_iovec(const struct iov_iter *i)
}
iov++;
skip = 0;
- } while (size);
+ }
return res;
}
--
2.45.2
Powered by blists - more mailing lists