Re: [PATCH] mm: shmem: avoid overflowing in shmem_fallocate
From: Sasha Levin
Date: Wed Dec 03 2014 - 21:33:59 EST
On 12/03/2014 08:51 PM, Naoya Horiguchi wrote:
> On Wed, Dec 03, 2014 at 07:24:07PM -0500, Sasha Levin wrote:
>> > "offset + len" has the potential of overflowing. Validate this user input
>> > first to avoid undefined behaviour.
>> >
>> > Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
>> > ---
>> > mm/shmem.c | 3 +++
>> > 1 file changed, 3 insertions(+)
>> >
>> > diff --git a/mm/shmem.c b/mm/shmem.c
>> > index 185836b..5a0e344 100644
>> > --- a/mm/shmem.c
>> > +++ b/mm/shmem.c
>> > @@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
>> > }
>> >
>> > /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
>> > + error = -EOVERFLOW;
>> > + if ((u64)len + offset < (u64)len)
>> > + goto out;
> Hi Sasha,
>
> It seems to me that we already do some overflow check in common path,
> do_fallocate():
>
> /* Check for wrap through zero too */
> if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
> return -EFBIG;
>
> Do we really need another check?
It looks like we actually need to fix this snippet you pasted rather than shmem_fallocate().
We can't check for ((offset + len) < 0) since both offset and length are signed integers. I'll
send a patch to deal with that rather that this shmem specific one. Thanks!
Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/