lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <yvmwdvnfzqz3efyoypejvkd4ihn5viagy4co7f4pquwrlvjli6@t7k6uihd2pp3>
Date: Wed, 6 Nov 2024 15:40:44 -0500
From: Goldwyn Rodrigues <rgoldwyn@...e.de>
To: Xiubo Li <xiubli@...hat.com>
Cc: "Luis Henriques (SUSE)" <luis.henriques@...ux.dev>, 
	Ilya Dryomov <idryomov@...il.com>, ceph-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2] ceph: ceph: fix out-of-bound array access when
 doing a file read

Hi Xiubo,

> BTW, so in the following code:
> 
> 1202                 idx = 0;
> 1203                 if (ret <= 0)
> 1204                         left = 0;
> 1205                 else if (off + ret > i_size)
> 1206                         left = i_size - off;
> 1207                 else
> 1208                         left = ret;
> 
> The 'ret' should be larger than '0', right ?
> 
> If so we do not check anf fix it in the 'else if' branch instead?
> 
> Because currently the read path code won't exit directly and keep 
> retrying to read if it found that the real content length is longer than 
> the local 'i_size'.
> 
> Again I am afraid your current fix will break the MIX filelock semantic ?

Do you think changing left to ssize_t instead of size_t will
fix the problem?


diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 4b8d59ebda00..f8955773bdd7 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -1066,7 +1066,7 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos,
 	if (ceph_inode_is_shutdown(inode))
 		return -EIO;
 
-	if (!len)
+	if (!len || !i_size)
 		return 0;
 	/*
 	 * flush any page cache pages in this range.  this
@@ -1087,7 +1087,7 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos,
 		size_t page_off;
 		bool more;
 		int idx;
-		size_t left;
+		ssize_t left;
 		struct ceph_osd_req_op *op;
 		u64 read_off = off;
 		u64 read_len = len;

-- 
Goldwyn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ