Re: [bug report] ceph: decode interval_sets for delegated inos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 03, 2024 at 11:19:25AM +0300, Dan Carpenter wrote:
> Hello Jeff Layton,
> 
> Commit d48464878708 ("ceph: decode interval_sets for delegated inos")
> from Nov 15, 2019 (linux-next), leads to the following Smatch static
> checker warning:
> 
> 	fs/ceph/mds_client.c:644 ceph_parse_deleg_inos()
> 	warn: potential user controlled sizeof overflow 'sets * 2 * 8' '0-u32max * 8'
> 
> fs/ceph/mds_client.c
>     637 static int ceph_parse_deleg_inos(void **p, void *end,
>     638                                  struct ceph_mds_session *s)
>     639 {
>     640         u32 sets;
>     641 
>     642         ceph_decode_32_safe(p, end, sets, bad);
>                                             ^^^^
> set to user data here.
> 
>     643         if (sets)
> --> 644                 ceph_decode_skip_n(p, end, sets * 2 * sizeof(__le64), bad);
>                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^
> This is safe on 64bit but on 32bit systems it can integer overflow/wrap.
> 

Smatch has similar warnings in ceph_mdsmap_decode().

fs/ceph/mdsmap.c:228 ceph_mdsmap_decode() warn: potential user controlled sizeof overflow 'num_export_targets * 4' '0-u32max * 4'
fs/ceph/mdsmap.c:280 ceph_mdsmap_decode() warn: potential user controlled sizeof overflow '8 * (n + 1)' '8 * s32min-s32max'
fs/ceph/mdsmap.c:337 ceph_mdsmap_decode() warn: potential user controlled sizeof overflow '4 * n' '4 * 0-u32max'
fs/ceph/mdsmap.c:339 ceph_mdsmap_decode() warn: potential user controlled sizeof overflow '4 * n' '4 * 0-u32max'

regards,
dan carpenter





[Index of Archives]     [CEPH Users]     [Ceph Large]     [Ceph Dev]     [Information on CEPH]     [Linux BTRFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux