[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240801010953.GA1835661@google.com>
Date: Thu, 1 Aug 2024 01:09:53 +0000
From: Eric Biggers <ebiggers@...nel.org>
To: Arnd Bergmann <arnd@...nel.org>
Cc: Miklos Szeredi <miklos@...redi.hu>,
Richard Fung <richardfung@...gle.com>,
Arnd Bergmann <arnd@...db.de>,
Nathan Chancellor <nathan@...nel.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Bill Wendling <morbo@...gle.com>,
Justin Stitt <justinstitt@...gle.com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
llvm@...ts.linux.dev
Subject: Re: [PATCH] fuse: fs-verity: aoid out-of-range comparison
On Tue, Jul 30, 2024 at 04:27:52PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> clang points out that comparing the 16-bit size of the digest against
> SIZE_MAX is not a helpful comparison:
>
> fs/fuse/ioctl.c:130:18: error: result of comparison of constant 18446744073709551611 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare]
> if (digest_size > SIZE_MAX - sizeof(struct fsverity_digest))
> ~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> This either means tha tthe check can be removed entirely, or that the
> intended comparison was for the 16-bit range. Assuming the latter was
> intended, compare against U16_MAX instead.
>
> Fixes: 9fe2a036a23c ("fuse: Add initial support for fs-verity")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> fs/fuse/ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/fuse/ioctl.c b/fs/fuse/ioctl.c
> index 572ce8a82ceb..5711d86c549d 100644
> --- a/fs/fuse/ioctl.c
> +++ b/fs/fuse/ioctl.c
> @@ -127,7 +127,7 @@ static int fuse_setup_measure_verity(unsigned long arg, struct iovec *iov)
> if (copy_from_user(&digest_size, &uarg->digest_size, sizeof(digest_size)))
> return -EFAULT;
>
> - if (digest_size > SIZE_MAX - sizeof(struct fsverity_digest))
> + if (digest_size > U16_MAX - sizeof(struct fsverity_digest))
> return -EINVAL;
>
> iov->iov_len = sizeof(struct fsverity_digest) + digest_size;
I think this was just defensive coding to ensure that the assignment to iov_len
can't overflow regardless of the type of digest_size. You can remove the check
if you want to, though isn't the tautological comparison warning disabled by the
kernel build system anyway? Anyway, it does not make sense to use U16_MAX here.
- Eric
Powered by blists - more mailing lists