Re: [PATCH] tcmu: Fix possible overflow for memcpy address in iovec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Xiubo,

On Tue, 2017-07-11 at 17:04 +0800, Xiubo Li wrote:
> > > > > diff --git a/drivers/target/target_core_user.c
> > > > > b/drivers/target/target_core_user.c
> > > > > index 930800c..86a845a 100644
> > > > > --- a/drivers/target/target_core_user.c
> > > > > +++ b/drivers/target/target_core_user.c
> > > > > @@ -437,7 +437,7 @@ static int scatter_data_area(struct tcmu_dev
> > > > > *udev,
> > > > >    			to_offset = get_block_offset_user(udev,
> > > > > dbi,
> > > > >    					block_remaining);
> > > > >    			offset = DATA_BLOCK_SIZE -
> > > > > block_remaining;
> > > > > -			to = (void *)(unsigned long)to + offset;
> > > > > +			to = (void *)((unsigned long)to + offset);
> > > > >    
> > > > >    			if (*iov_cnt != 0 &&
> > > > >    			    to_offset == iov_tail(udev, *iov)) {
> > > > > @@ -510,7 +510,7 @@ static void gather_data_area(struct tcmu_dev
> > > > > *udev, struct tcmu_cmd *cmd,
> > > > >    			copy_bytes = min_t(size_t, sg_remaining,
> > > > >    					block_remaining);
> > > > >    			offset = DATA_BLOCK_SIZE -
> > > > > block_remaining;
> > > > > -			from = (void *)(unsigned long)from +
> > > > > offset;
> > > > > +			from = (void *)((unsigned long)from +
> > > > > offset);
> > > > >    			tcmu_flush_dcache_range(from,
> > > > > copy_bytes);
> > > > >    			memcpy(to + sg->length - sg_remaining,
> > > > > from,
> > > > >    					copy_bytes);
> > 
> > I was just looking at this patch and about to try to see if it fixes my
> > problem... It cannot hurt. Trying...
> 
> Hi Damien,
> 
> Please test another patch, I think that one maybe fix this.

void * pointer arithmetic is OK and equivalent to unsigned long. So I do not
think this actually fixes anything and could be rewritten more simply as

to += offset;

and 

from += offset.

And that compiles without a warning and there are no complaints from sparse.

Cheers.


-- 
Damien Le Moal
Western Digital��.n��������+%������w��{.n����j�����{ay�ʇڙ���f���h������_�(�階�ݢj"��������G����?���&��




[Index of Archives]     [Linux SCSI]     [Kernel Newbies]     [Linux SCSI Target Infrastructure]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Device Mapper]

  Powered by Linux