| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aCflM0LZ23d2j2FF@mini-arch>
Date: Fri, 16 May 2025 18:24:03 -0700
From: Stanislav Fomichev <stfomichev@...il.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: netdev@...r.kernel.org, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
willemb@...gle.com, sagi@...mberg.me, asml.silence@...il.com,
almasrymina@...gle.com, kaiyuanz@...gle.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next] net: devmem: remove min_t(iter_iov_len) in
sendmsg
On 05/17, Al Viro wrote:
> On Fri, May 16, 2025 at 05:04:31PM -0700, Stanislav Fomichev wrote:
> > iter_iov_len looks broken for UBUF. When iov_iter_advance is called
> > for UBUF, it increments iov_offset and also decrements the count.
> > This makes the iterator only go over half of the range (unless I'm
> > missing something).
>
> What do you mean by "broken"? iov_iter_len(from) == "how much data is
> left in that iterator". That goes for all flavours, UBUF included...
>
> Confused...
Right, but __ubuf_iovec.iov_len aliases with (total) count:
union {
struct iovec __ubuf_iovec; /* { void *iov_base; size_t iov_len } */
struct {
union { const struct iovec *__iov; ... };
size_t count;
}
}
So any time we do iov_iter_advance(size) (which does iov_offset += size
and count -= size), we essentially subtract the size from count _and_
iov_len. And now, calling iter_iov_len (which does iov_len - iov_offset)
returns bogus length. I don't think that's intended or am I missing something?
Powered by blists - more mailing lists