lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <591ae05a-7ad4-4ff7-943d-d8ecc17c91ca@moroto.mountain>
Date: Mon, 17 Jun 2024 09:01:57 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc: Yangbo Lu <yangbo.lu@....com>,
	Richard Cochran <richardcochran@...il.com>,
	"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH net] ptp: fix integer overflow in max_vclocks_store

On Sat, Jun 15, 2024 at 09:05:56AM +0200, Christophe JAILLET wrote:
> Le 14/06/2024 à 19:31, Dan Carpenter a écrit :
> > On 32bit systems, the "4 * max" multiply can overflow.  Use size_mul()
> > to fix this.
> > 
> > Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information")
> > Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> > ---
> >   drivers/ptp/ptp_sysfs.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
> > index a15460aaa03b..bc1562fcd6c9 100644
> > --- a/drivers/ptp/ptp_sysfs.c
> > +++ b/drivers/ptp/ptp_sysfs.c
> > @@ -296,7 +296,7 @@ static ssize_t max_vclocks_store(struct device *dev,
> >   	if (max < ptp->n_vclocks)
> >   		goto out;
> > -	size = sizeof(int) * max;
> > +	size = size_mul(sizeof(int), max);
> >   	vclock_index = kzalloc(size, GFP_KERNEL);
> 
> kcalloc() maybe?
> 

Fair enough.  I'll resend.

> >   	if (!vclock_index) {
> >   		err = -ENOMEM;
> 
> 
> Unrelated but, a few lines above, should the:
> 	if (max == ptp->max_vclocks)
> 		return count;
> 
> be after:
> 	if (mutex_lock_interruptible(&ptp->n_vclocks_mux))
> 		return -ERESTARTSYS;
> 
> as done in n_vclocks_store()?

The code is probably better as is.  This is a short cut path.  We
sometimes see this pattern on fast paths where we test to see if we can
skip everything, then we test again underlock if the test is really
essential.  Here if max == ptp->max_vclocks then the whole function is
very complicated no-op so it's not necessary to retest under the lock.

Meanwhile the essential "if (max < ptp->n_vclocks)" check is done under
lock.  So it works and it feels like someone put some thought into it.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ