[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-nfs
Subject: Re: [PATCH 2/2] NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows
From: Dan Carpenter <dan.carpenter () linaro ! org>
Date: 2024-05-09 13:26:19
Message-ID: 70f5c9cf-aa7d-4309-8ed7-48e303ea1be7 () moroto ! mountain
[Download RAW message or body]
On Thu, May 09, 2024 at 09:19:48AM -0400, Chuck Lever wrote:
> On Thu, May 09, 2024 at 01:48:28PM +0300, Dan Carpenter wrote:
> > These lengths come from xdr_stream_decode_u32() and so we should be a
> > bit careful with them. Use size_add() and struct_size() to avoid
> > integer overflows. Saving size_add()/struct_size() results to a u32 is
> > unsafe because it truncates away the high bits.
> >
> > Also generally storing sizes in longs is safer. Most systems these days
> > use 64 bit CPUs. It's harder for an addition to overflow 64 bits than
> > it is to overflow 32 bits. Also functions like vmalloc() can
> > successfully allocate UINT_MAX bytes, but nothing can allocate ULONG_MAX
> > bytes.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> > ---
> > I think my patch 1 fixes any real issues. It's hard to assign a Fixes
> > tag to this.
>
> I agree that this is a defensive change only. As it is late in the
> cycle and this doesn't seem urgent, I would prefer to queue this
> change for v6.11.
>
Sounds good. I would imagine that eventually it will make its way back
to the stable kernels but it's not a rush.
regards,
dan carpenter
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic