[RFC PATCH v1 6/8] zram: avoid access beyond the zram device
Jerome Marchand
jmarchan at redhat.com
Wed Jun 5 08:52:48 UTC 2013
On 06/04/2013 05:09 PM, Jiang Liu wrote:
> On Tue 04 Jun 2013 09:15:43 PM CST, Jerome Marchand wrote:
>> On 06/03/2013 05:42 PM, Jiang Liu wrote:
>>> Function valid_io_request() should verify the entire request doesn't
>>> exceed the zram device, otherwise it will cause invalid memory access.
>>>
>>> Signed-off-by: Jiang Liu <jiang.liu at huawei.com>
>>> ---
>>> drivers/staging/zram/zram_drv.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>>> index 66cf28a..64b51b9 100644
>>> --- a/drivers/staging/zram/zram_drv.c
>>> +++ b/drivers/staging/zram/zram_drv.c
>>> @@ -428,6 +428,10 @@ static inline int valid_io_request(struct zram *zram, struct bio *bio)
>>> return 0;
>>> }
>>>
>>> + if (unlikely((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>>> + zram->disksize))
>>> + return 0;
>>> +
>>
>> This test make the first line of previous test redundant. Why not just
>> update it like the following:
>>
>> - (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
>> + ((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>> + zram->disksize)) ||
>>
>>
>> Jerome
> Hi Jerome,
> I think the test "bio->bi_sector >= (zram->disksize >>
> SECTOR_SHIFT)" is still
> needed to protect "(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size"
> from wrapping
> around.
Good point, but I don't see how this is going to catch all the possible
values that overflow. You still need an explicit overflow test
(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size < bio->bi_size), at
which point the first test would be useless.
Jerome
> Regards!
> Gerry
>
>>
>>> /* I/O request is valid */
>>> return 1;
>>> }
>>>
>>
>
>
More information about the devel
mailing list