[lvc-project] [PATCH v2] udf: balloc: prevent integer overflow in udf_bitmap_free_blocks()

Sergey Shtylyov s.shtylyov at omp.ru
Thu Jun 20 21:47:48 MSK 2024


Привет!

   Я сразу не заметил, что твоё письмо уже было адресовано мэйнтейнеру.
Теперь я его убрал вместе с LKML...

On 6/20/24 10:24 AM, Roman Smirnov wrote:

> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
> 
> Overflow is also possible when we sum offset and
> sizeof(struct spaceBitmapDesc) << 3. For this reason it
> is necessary to check overflow of this too. The result is
> stored in total_offset.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Suggested-by: Jan Kara <jack at suse.com>
> Signed-off-by: Roman Smirnov <r.smirnov at omp.ru>
> ---
>  V1 -> V2: Overflow checks have been replaced by functions

   Лучше было бы что-то вроде "made use of check_add_overflow()"...
Ну и это не единственная была у тебя правка, надо было бы добавить:

- moved overflow check before the assignment to the block variable;
- added overflow check for the expfression offset + (sizeof(struct
spaceBitmapDesc) << 3).

[...]

MBR, Sergey



More information about the lvc-project mailing list