On 06/04/2013 05:09 PM, Jiang Liu wrote: > On Tue 04 Jun 2013 09:15:43 PM CST, Jerome Marchand wrote: >> On 06/03/2013 05:42 PM, Jiang Liu wrote: >>> Function valid_io_request() should verify the entire request doesn't >>> exceed the zram device, otherwise it will cause invalid memory access. >>> >>> Signed-off-by: Jiang Liu <jiang.liu@xxxxxxxxxx> >>> --- >>> drivers/staging/zram/zram_drv.c | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c >>> index 66cf28a..64b51b9 100644 >>> --- a/drivers/staging/zram/zram_drv.c >>> +++ b/drivers/staging/zram/zram_drv.c >>> @@ -428,6 +428,10 @@ static inline int valid_io_request(struct zram *zram, struct bio *bio) >>> return 0; >>> } >>> >>> + if (unlikely((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >= >>> + zram->disksize)) >>> + return 0; >>> + >> >> This test make the first line of previous test redundant. Why not just >> update it like the following: >> >> - (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) || >> + ((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >= >> + zram->disksize)) || >> >> >> Jerome > Hi Jerome, > I think the test "bio->bi_sector >= (zram->disksize >> > SECTOR_SHIFT)" is still > needed to protect "(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size" > from wrapping > around. Good point, but I don't see how this is going to catch all the possible values that overflow. You still need an explicit overflow test (bio->bi_sector << SECTOR_SHIFT) + bio->bi_size < bio->bi_size), at which point the first test would be useless. Jerome > Regards! > Gerry > >> >>> /* I/O request is valid */ >>> return 1; >>> } >>> >> > > _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
