| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Sep 2019 09:12:36 +0000
From: "wangxu (AE)" <wangxu72@...wei.com>
To: "Michael S. Tsirkin" <mst@...hat.com>
CC: "jasowang@...hat.com" <jasowang@...hat.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"virtualization@...ts.linux-foundation.org"
<virtualization@...ts.linux-foundation.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] vhost: It's better to use size_t for the 3rd parameter
of vhost_exceeds_weight()
Hi Michael
Thanks for your fast reply.
As the following code, the 2nd branch of iov_iter_advance() does not check if i->count < size, when this happens, i->count -= size may cause len exceed INT_MAX, and then total_len exceed INT_MAX.
handle_tx_copy() ->
get_tx_bufs(..., &len, ...) ->
init_iov_iter() ->
iov_iter_advance(iter, ...) // has 3 branches:
pipe_advance() // has checked the size: if (unlikely(i->count < size)) size = i->count;
iov_iter_is_discard() ... // no check.
iterate_and_advance() //has checked: if (unlikely(i->count < n)) n = i->count;
return iov_iter_count(iter);
-----Original Message-----
From: Michael S. Tsirkin [mailto:mst@...hat.com]
Sent: Monday, September 23, 2019 4:07 PM
To: wangxu (AE) <wangxu72@...wei.com>
Cc: jasowang@...hat.com; kvm@...r.kernel.org; virtualization@...ts.linux-foundation.org; netdev@...r.kernel.org; linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vhost: It's better to use size_t for the 3rd parameter of vhost_exceeds_weight()
On Mon, Sep 23, 2019 at 03:46:41PM +0800, wangxu wrote:
> From: Wang Xu <wangxu72@...wei.com>
>
> Caller of vhost_exceeds_weight(..., total_len) in drivers/vhost/net.c
> usually pass size_t total_len, which may be affected by rx/tx package.
>
> Signed-off-by: Wang Xu <wangxu72@...wei.com>
Puts a bit more pressure on the register file ...
why do we care? Is there some way that it can exceed INT_MAX?
> ---
> drivers/vhost/vhost.c | 4 ++--
> drivers/vhost/vhost.h | 7 ++++---
> 2 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index
> 36ca2cf..159223a 100644
> --- a/drivers/vhost/vhost.c
> +++ b/drivers/vhost/vhost.c
> @@ -412,7 +412,7 @@ static void vhost_dev_free_iovecs(struct vhost_dev
> *dev) }
>
> bool vhost_exceeds_weight(struct vhost_virtqueue *vq,
> - int pkts, int total_len)
> + int pkts, size_t total_len)
> {
> struct vhost_dev *dev = vq->dev;
>
> @@ -454,7 +454,7 @@ static size_t vhost_get_desc_size(struct
> vhost_virtqueue *vq,
>
> void vhost_dev_init(struct vhost_dev *dev,
> struct vhost_virtqueue **vqs, int nvqs,
> - int iov_limit, int weight, int byte_weight)
> + int iov_limit, int weight, size_t byte_weight)
> {
> struct vhost_virtqueue *vq;
> int i;
> diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h index
> e9ed272..8d80389d 100644
> --- a/drivers/vhost/vhost.h
> +++ b/drivers/vhost/vhost.h
> @@ -172,12 +172,13 @@ struct vhost_dev {
> wait_queue_head_t wait;
> int iov_limit;
> int weight;
> - int byte_weight;
> + size_t byte_weight;
> };
>
This just costs extra memory, and value is never large, so I don't think this matters.
> -bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int
> total_len);
> +bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts,
> + size_t total_len);
> void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs,
> - int nvqs, int iov_limit, int weight, int byte_weight);
> + int nvqs, int iov_limit, int weight, size_t byte_weight);
> long vhost_dev_set_owner(struct vhost_dev *dev); bool
> vhost_dev_has_owner(struct vhost_dev *dev); long
> vhost_dev_check_owner(struct vhost_dev *);
> --
> 1.8.5.6
Powered by blists - more mailing lists