Re: [patch -resend] NVMe: check for integer overflow innvme_map_user_pages()

From: Matthew Wilcox
Date: Fri May 17 2013 - 09:41:35 EST

Next message: Matthew Wilcox: "Re: [PATCH v2] NVMe: fix error return code in nvme_submit_bio_queue()"
Previous message: Matthew Wilcox: "Re: [patch] MAINTAINERS: update NVM EXPRESS DRIVER file list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, May 13, 2013 at 05:59:50PM +0300, Dan Carpenter wrote:
> You need to have CAP_SYS_ADMIN to trigger this overflow but it makes the
> static checkers complain so we should fix it. The worry is that
> "length" comes from copy_from_user() so we need to check that "length +
> offset" can't overflow.
>
> I also changed the min_t() cast to be unsigned instead of signed. Now
> that we cap "length" to INT_MAX it doesn't make a difference, but it's a
> little easier for reviewers to know that large values aren't cast to
> negative.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Applied
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthew Wilcox: "Re: [PATCH v2] NVMe: fix error return code in nvme_submit_bio_queue()"
Previous message: Matthew Wilcox: "Re: [patch] MAINTAINERS: update NVM EXPRESS DRIVER file list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]