The patch titled
Subject: adfs: use 'unsigned' types for memcpy length
has been removed from the -mm tree. Its filename was
adfs-use-unsigned-types-for-memcpy-length.patch
This patch was dropped because an updated version will be merged
------------------------------------------------------
From: Arnd Bergmann <arnd@xxxxxxxx>
Subject: adfs: use 'unsigned' types for memcpy length
After 62d1034f53e3 ("fortify: use WARN instead of BUG for now"), we get a
warning in adfs about a possible buffer overflow:
In function 'memcpy',
inlined from '__adfs_dir_put' at fs/adfs/dir_f.c:318:2,
inlined from 'adfs_f_update' at fs/adfs/dir_f.c:403:2:
include/linux/string.h:305:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
__read_overflow2();
^~~~~~~~~~~~~~~~~~
The warning is correct in the sense that a negative 'pos' argument to the
function would have that result. However, this is not a bug, as we know
the position is always positive (in fact, between 5 and 2007, inclusive)
when the function gets called.
Changing the variable to a unsigned type avoids the problem. I decided to
use 'unsigned int' for the position in the directory and the block number,
as they are both counting things, but use size_t for the offset and length
that get passed into memcpy. This shuts up the warning.
Link: http://lkml.kernel.org/r/20170801120438.1582336-2-arnd@xxxxxxxx
Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/adfs/dir_f.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff -puN fs/adfs/dir_f.c~adfs-use-unsigned-types-for-memcpy-length fs/adfs/dir_f.c
--- a/fs/adfs/dir_f.c~adfs-use-unsigned-types-for-memcpy-length
+++ a/fs/adfs/dir_f.c
@@ -283,11 +283,12 @@ __adfs_dir_get(struct adfs_dir *dir, int
}
static int
-__adfs_dir_put(struct adfs_dir *dir, int pos, struct object_info *obj)
+__adfs_dir_put(struct adfs_dir *dir, unsigned int pos, struct object_info *obj)
{
struct super_block *sb = dir->sb;
struct adfs_direntry de;
- int thissize, buffer, offset;
+ unsigned int buffer;
+ size_t thissize, offset;
buffer = pos >> sb->s_blocksize_bits;
_
Patches currently in -mm which might be from arnd@xxxxxxxx are
mm-zone_device-new-type-of-zone_device-for-unaddressable-memory-fix.patch
fs-proc-remove-priv-argument-from-is_stack-fix.patch
fscache-fix-fscache_objlist_show-format-processing.patch
ib-mlx4-fix-sprintf-format-warning.patch
iopoll-avoid-wint-in-bool-context-warning.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
