| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240721205252.51913-2-dennis.lamerice@gmail.com>
Date: Sun, 21 Jul 2024 16:52:53 -0400
From: Dennis Lam <dennis.lamerice@...il.com>
To: dennis.lamerice@...il.com,
akpm@...ux-foundation.org,
viro@...iv.linux.org.uk
Cc: linux-kernel@...r.kernel.org,
syzbot+f2a9c06bfaa027217ebb@...kaller.appspotmail.com
Subject: [PATCH RESEND] btrfs: Change iov_iter_alignment_iovec to check iovec count before accesses an iovec
When checking iov_iter_alignment_iovec for valid read and the iovec is empty,
the function still tries to iterate non-existant values. In this case, the iov
variable is empty and attempting to use iov->iov_len causes a kernel crash.
This patch fixes this by checking the size of the iovec before iterating.
Resent this patch in thread because one of the emails I pasted was wrong.
Signed-off-by: Dennis Lam <dennis.lamerice@...il.com>
---
lib/iov_iter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 4a6a9f419bd7..2d82ecf1b622 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -783,7 +783,7 @@ static unsigned long iov_iter_alignment_iovec(const struct iov_iter *i)
size_t size = i->count;
size_t skip = i->iov_offset;
- do {
+ while(size) {
size_t len = iov->iov_len - skip;
if (len) {
res |= (unsigned long)iov->iov_base + skip;
@@ -794,7 +794,7 @@ static unsigned long iov_iter_alignment_iovec(const struct iov_iter *i)
}
iov++;
skip = 0;
- } while (size);
+ }
return res;
}
--
2.45.2
Powered by blists - more mailing lists