[PATCH] seq_file: Fix potential addition overflow

From: Jiasheng Jiang
Date: Mon Oct 25 2021 - 03:31:48 EST

Next message: Leon Romanovsky: "Re: [PATCH rdma-rc] IB/core: fix a UAF for netdev in netdevice_event process"
Previous message: Zhang Changzhong: "Re: [PATCH net 2/3] can: j1939: j1939_can_recv(): ignore messages with invalid source address"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After seq_hlist_start_percpu(), the value of &iter->li_cpu might be
MAX_UINT.
In that case, there will be addition overflow in the cpumask_next().
Therefore, it might be better to add the check before.

Fixes: 0bc7738 ("seq_file: add seq_list_*_percpu helpers")
Signed-off-by: Jiasheng Jiang <jiasheng@xxxxxxxxxxx>
---
fs/seq_file.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/seq_file.c b/fs/seq_file.c
index 5059248..f768c28 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -1105,6 +1105,9 @@ seq_hlist_next_percpu(void *v, struct hlist_head __percpu *head,
if (node->next)
return node->next;

+ if (*cpu >= nr_cpu_ids)
+ return NULL;
+
for (*cpu = cpumask_next(*cpu, cpu_possible_mask); *cpu < nr_cpu_ids;
*cpu = cpumask_next(*cpu, cpu_possible_mask)) {
struct hlist_head *bucket = per_cpu_ptr(head, *cpu);
--
2.7.4

Next message: Leon Romanovsky: "Re: [PATCH rdma-rc] IB/core: fix a UAF for netdev in netdevice_event process"
Previous message: Zhang Changzhong: "Re: [PATCH net 2/3] can: j1939: j1939_can_recv(): ignore messages with invalid source address"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]