Re: [PATCH v2] fs: make d_path-like functions all have unsigned size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 27, 2021 at 03:39:31PM +0300, Andy Shevchenko wrote:
> On Tue, Jul 27, 2021 at 02:07:54PM +0200, Greg Kroah-Hartman wrote:
> > When running static analysis tools to find where signed values could
> > potentially wrap the family of d_path() functions turn out to trigger a
> > lot of mess.  In evaluating the code, all of these usages seem safe, but
> > pointer math is involved so if a negative number is ever somehow passed
> > into these functions, memory can be traversed backwards in ways not
> > intended.
> > 
> > Resolve all of the abuguity by just making "size" an unsigned value,
> > which takes the guesswork out of everything involved.
> 
> Are you sure it's correct change?
> 
> Look into extract_string() implementation.
> 
> 	if (likely(p->len >= 0))
> 		return p->buf;
> 	return ERR_PTR(-ENAMETOOLONG);
> 
> Your change makes it equal to
> 
> 	return p->buf;
> 
> if I'm not mistaken.

Yes it does, you are right.  So now we don't need to check the wrap
there :)

So this code is explicitly wanting the value to wrap into a negative
value to check for problems, didn't expect that.

Still feels very fragile, if you look at the documentation for __d_path,
it says:
	"buflen" should be positive.
and if you look at who calls it, they are all passing in an unsigned
value, seq_path_root() uses a size_t as buflen.  What's the issues
involved there when size_t is a unsigned value going into a signed int?

And my mistake from earlier, size_t is the same as unsigned int, not
unsigned long.

Anyway, this code feels subtle and tricky here, such that parsing tools
warn "hey, something might be wrong here, check it out!"

I'm not set on changing prepend_buffer->len, but I will not complain if
it is, but we might want to have a different check in extract_string()
and prepend() to verify that p->len does not go bigger than
MAX_SOMETHING?

But in the end, you are right, this version of the patch is not ok, all
of the checks for len being < 0 are now moot, gotta love the fact that
gcc didn't say squat about that :(

thanks,

greg k-h



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux