kobject: Read buffer overflow

Message ID	4A754814.50506@gmail.com (mailing list archive)
State	Accepted
Headers	show Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n727xLle000303 for <patchwork-parisc@patchwork.kernel.org>; Sun, 2 Aug 2009 07:59:21 GMT DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=lggWTJYko9DZP9AJwFwfnKFStAoDAq1qcgtF5Y9kf5SqOZ9/agoyZHcyUBoiQ9SkZo nQC0kkhZUCE5x+cuy8KFVJshiX0l5n570LgNLtmvCUzHo/hfBeM3fvAS8nrgvq9z0jyM M5JMCjrkbcn+0Iwc2979hszPvPvUBpTLFqqlo= Message-ID: <4A754814.50506@gmail.com> Date: Sun, 02 Aug 2009 10:02:28 +0200 From: Roel Kluin <roel.kluin@gmail.com> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: kyle@mcmartin.ca, deller@gmx.de, linux-parisc@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org> Subject: [PATCH] kobject: Read buffer overflow Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-parisc-owner@vger.kernel.org Precedence: bulk

Message ID

4A754814.50506@gmail.com (mailing list archive)

State

Accepted

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:subject
	:content-type:content-transfer-encoding;
	b=lggWTJYko9DZP9AJwFwfnKFStAoDAq1qcgtF5Y9kf5SqOZ9/agoyZHcyUBoiQ9SkZo
	nQC0kkhZUCE5x+cuy8KFVJshiX0l5n570LgNLtmvCUzHo/hfBeM3fvAS8nrgvq9z0jyM
	M5JMCjrkbcn+0Iwc2979hszPvPvUBpTLFqqlo=
Message-ID: <4A754814.50506@gmail.com>
Date: Sun, 02 Aug 2009 10:02:28 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11
	Thunderbird/3.0b2
MIME-Version: 1.0
To: kyle@mcmartin.ca, deller@gmx.de, linux-parisc@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH] kobject: Read buffer overflow
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: linux-parisc-owner@vger.kernel.org
Precedence: bulk

Commit Message

Roel Kluin Aug. 2, 2009, 8:02 a.m. UTC

Check whether index is within bounds before testing the element.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
This also removes the likely, should it be kept?

--
To unsubscribe from this list: send the line "unsubscribe linux-parisc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Thibaut VARENE Aug. 2, 2009, 10:06 a.m. UTC | #1

On Sun, Aug 2, 2009 at 10:02 AM, Roel Kluin<roel.kluin@gmail.com> wrote:
> Check whether index is within bounds before testing the element.

The change is correct but:
- There are other places in the code with that construct. Even though
they wouldn't trigger an overflow, why not fixing them too?
- Keep the likely: we are more likely to run out of data in the layers
than to exhaust the counter (which is why no overflow was ever
triggered, I believe ;-)

HTH

T-Bone

> diff --git a/drivers/parisc/pdc_stable.c b/drivers/parisc/pdc_stable.c
> index f9f9a5f..13a64bc 100644
> --- a/drivers/parisc/pdc_stable.c
> +++ b/drivers/parisc/pdc_stable.c
> @@ -370,7 +370,7 @@ pdcspath_layer_read(struct pdcspath_entry *entry, char *buf)
> Â  Â  Â  Â if (!i) /* entry is not ready */
> Â  Â  Â  Â  Â  Â  Â  Â return -ENODATA;
>
> - Â  Â  Â  for (i = 0; devpath->layers[i] && (likely(i < 6)); i++)
> + Â  Â  Â  for (i = 0; i < 6 && devpath->layers[i]; i++)
> Â  Â  Â  Â  Â  Â  Â  Â out += sprintf(out, "%u ", devpath->layers[i]);
>
> Â  Â  Â  Â out += sprintf(out, "\n");
> --
> To unsubscribe from this list: send the line "unsubscribe linux-parisc" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at Â http://vger.kernel.org/majordomo-info.html
>

Matthew Wilcox Aug. 2, 2009, 10:16 a.m. UTC | #2

On Sun, Aug 02, 2009 at 12:06:59PM +0200, Thibaut VARENE wrote:
> On Sun, Aug 2, 2009 at 10:02 AM, Roel Kluin<roel.kluin@gmail.com> wrote:
> > Check whether index is within bounds before testing the element.
> 
> The change is correct but:
> - There are other places in the code with that construct. Even though
> they wouldn't trigger an overflow, why not fixing them too?
> - Keep the likely: we are more likely to run out of data in the layers
> than to exhaust the counter (which is why no overflow was ever
> triggered, I believe ;-)

No, lose the likely.  It's a for-loop; gcc will do the right thing.

(If you think I'm wrong, convince me by showing the disassembly of the
compiled code with and without the likely).

Thibaut VARENE Aug. 2, 2009, 10:24 a.m. UTC | #3

On Sun, Aug 2, 2009 at 12:16 PM, Matthew Wilcox<matthew@wil.cx> wrote:
> On Sun, Aug 02, 2009 at 12:06:59PM +0200, Thibaut VARENE wrote:
>> On Sun, Aug 2, 2009 at 10:02 AM, Roel Kluin<roel.kluin@gmail.com> wrote:
>> > Check whether index is within bounds before testing the element.
>>
>> The change is correct but:
>> - There are other places in the code with that construct. Even though
>> they wouldn't trigger an overflow, why not fixing them too?
>> - Keep the likely: we are more likely to run out of data in the layers
>> than to exhaust the counter (which is why no overflow was ever
>> triggered, I believe ;-)
>
> No, lose the likely. Â It's a for-loop; gcc will do the right thing.

I stand corrected then. ;-)
Thanks willy.

T-Bone

James Bottomley Aug. 2, 2009, 11:33 p.m. UTC | #4

On Sun, 2009-08-02 at 10:02 +0200, Roel Kluin wrote:
> Check whether index is within bounds before testing the element.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> This also removes the likely, should it be kept?
> 
> diff --git a/drivers/parisc/pdc_stable.c b/drivers/parisc/pdc_stable.c
> index f9f9a5f..13a64bc 100644
> --- a/drivers/parisc/pdc_stable.c
> +++ b/drivers/parisc/pdc_stable.c
> @@ -370,7 +370,7 @@ pdcspath_layer_read(struct pdcspath_entry *entry, char *buf)
>  	if (!i)	/* entry is not ready */
>  		return -ENODATA;
>  	
> -	for (i = 0; devpath->layers[i] && (likely(i < 6)); i++)
> +	for (i = 0; i < 6 && devpath->layers[i]; i++)

Since all patterns like this (swapping the order of conditions with no
side effects in a for loop condition) are basically trivial, shouldn't
they be going via Jiri Kosina (trivial tree)?  

James


--
To unsubscribe from this list: send the line "unsubscribe linux-parisc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/parisc/pdc_stable.c b/drivers/parisc/pdc_stable.c
index f9f9a5f..13a64bc 100644
--- a/drivers/parisc/pdc_stable.c
+++ b/drivers/parisc/pdc_stable.c
@@ -370,7 +370,7 @@  pdcspath_layer_read(struct pdcspath_entry *entry, char *buf)
 	if (!i)	/* entry is not ready */
 		return -ENODATA;
 	
-	for (i = 0; devpath->layers[i] && (likely(i < 6)); i++)
+	for (i = 0; i < 6 && devpath->layers[i]; i++)
 		out += sprintf(out, "%u ", devpath->layers[i]);
 
 	out += sprintf(out, "\n");

kobject: Read buffer overflow

Commit Message

Comments

Patch