| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSwQnOF0T64i2ljF@kernel.org>
Date: Sun, 30 Nov 2025 11:38:36 +0200
From: Mike Rapoport <rppt@...nel.org>
To: Pasha Tatashin <pasha.tatashin@...een.com>
Cc: pratyush@...nel.org, dmatlack@...gle.com, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH] liveupdate: luo_core: fix redundant bound check in
luo_ioctl()
On Sat, Nov 29, 2025 at 08:09:19PM -0500, Pasha Tatashin wrote:
> The kernel test robot reported a Smatch warning:
> kernel/liveupdate/luo_core.c:402 luo_ioctl() warn: unsigned 'nr' is
> never less than zero.
>
> This occurs because 'nr' is unsigned and LIVEUPDATE_CMD_BASE is
> currently defined as 0, making the check (nr < LIVEUPDATE_CMD_BASE)
> always false.
>
> Remove the explicit lower bound check. The logic remains correct because
> 'nr' is unsigned; if nr is less than LIVEUPDATE_CMD_BASE, the expression
> (nr - LIVEUPDATE_CMD_BASE) will wrap around to a large positive value.
> This will inevitably be larger than ARRAY_SIZE(luo_ioctl_ops) and be
> caught by the upper bound check.
>
> Reported-by: kernel test robot <lkp@...el.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202511280300.6pvBmXUS-lkp@intel.com/
> Signed-off-by: Pasha Tatashin <pasha.tatashin@...een.com>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@...nel.org>
> ---
> kernel/liveupdate/luo_core.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c
> index 69298d82f404..7a9ef16b37d8 100644
> --- a/kernel/liveupdate/luo_core.c
> +++ b/kernel/liveupdate/luo_core.c
> @@ -404,10 +404,8 @@ static long luo_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
> int err;
>
> nr = _IOC_NR(cmd);
> - if (nr < LIVEUPDATE_CMD_BASE ||
> - (nr - LIVEUPDATE_CMD_BASE) >= ARRAY_SIZE(luo_ioctl_ops)) {
> + if (nr - LIVEUPDATE_CMD_BASE >= ARRAY_SIZE(luo_ioctl_ops))
> return -EINVAL;
> - }
>
> ucmd.ubuffer = (void __user *)arg;
> err = get_user(ucmd.user_size, (u32 __user *)ucmd.ubuffer);
>
> base-commit: 7d31f578f3230f3b7b33b0930b08f9afd8429817
> --
> 2.52.0.487.g5c8c507ade-goog
>
--
Sincerely yours,
Mike.
Powered by blists - more mailing lists