Re: [RFC PATCH v2] ceph: ceph: fix out-of-bound array access when doing a file read
From: Goldwyn Rodrigues
Date: Wed Nov 06 2024 - 15:41:03 EST
Hi Xiubo,
> BTW, so in the following code:
>
> 1202 idx = 0;
> 1203 if (ret <= 0)
> 1204 left = 0;
> 1205 else if (off + ret > i_size)
> 1206 left = i_size - off;
> 1207 else
> 1208 left = ret;
>
> The 'ret' should be larger than '0', right ?
>
> If so we do not check anf fix it in the 'else if' branch instead?
>
> Because currently the read path code won't exit directly and keep
> retrying to read if it found that the real content length is longer than
> the local 'i_size'.
>
> Again I am afraid your current fix will break the MIX filelock semantic ?
Do you think changing left to ssize_t instead of size_t will
fix the problem?
diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 4b8d59ebda00..f8955773bdd7 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -1066,7 +1066,7 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos,
if (ceph_inode_is_shutdown(inode))
return -EIO;
- if (!len)
+ if (!len || !i_size)
return 0;
/*
* flush any page cache pages in this range. this
@@ -1087,7 +1087,7 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos,
size_t page_off;
bool more;
int idx;
- size_t left;
+ ssize_t left;
struct ceph_osd_req_op *op;
u64 read_off = off;
u64 read_len = len;
--
Goldwyn