From patchwork Fri Feb 8 16:32:53 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Elder X-Patchwork-Id: 2116951 Return-Path: X-Original-To: patchwork-ceph-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 5FC75DFE75 for ; Fri, 8 Feb 2013 16:32:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760152Ab3BHQc5 (ORCPT ); Fri, 8 Feb 2013 11:32:57 -0500 Received: from mail-ie0-f181.google.com ([209.85.223.181]:65139 "EHLO mail-ie0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759956Ab3BHQc4 (ORCPT ); Fri, 8 Feb 2013 11:32:56 -0500 Received: by mail-ie0-f181.google.com with SMTP id 17so5289440iea.12 for ; Fri, 08 Feb 2013 08:32:56 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=7l28hjnW3TwbjF4PblFxFIdNebZHP5dKww6tJxqyd10=; b=AFAWWzNI06ztguZkMjBnMwTwi39IjYVljrQPAn7AksFk2A/d725MZHNV1RrSiw8D9Z 7RdPOVBowq/DDfTodFyEoiMB0xK+sbSakRCJx7Ew9NkW3Ybgwht1V8AM+jSjr3d/AOsO ES1+H5Zgu727arJ4HYVXhxPecWXFzqufFiDaNMCC6/D/GONXvOyKx4DdKVJrLhYF1/Db mvSayIfRgbVevIIgRmUfEfPz/vuGrg0ykz2PqAZKod1Taypx/6e0dNmMHeKzCUx9x0OY tk2H08AlTBOF+Kqe+Mz/3oq+QORAakCpzh/VMO5vNDkPt10f2iUevkwP4zMpGmbem5IA sYog== X-Received: by 10.50.179.66 with SMTP id de2mr3451899igc.59.1360341176391; Fri, 08 Feb 2013 08:32:56 -0800 (PST) Received: from [172.22.22.4] (c-71-195-31-37.hsd1.mn.comcast.net. [71.195.31.37]) by mx.google.com with ESMTPS id uy13sm15786276igb.7.2013.02.08.08.32.53 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 08 Feb 2013 08:32:54 -0800 (PST) Message-ID: <511528B5.5090607@inktank.com> Date: Fri, 08 Feb 2013 10:32:53 -0600 From: Alex Elder User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2 MIME-Version: 1.0 To: "ceph-devel@vger.kernel.org" Subject: [PATCH 3/5] rbd: prevent bytes transferred overflow References: <51152847.2030305@inktank.com> In-Reply-To: <51152847.2030305@inktank.com> X-Gm-Message-State: ALoCoQmTTbi9vABR08fWs9KkYGoNNLAmh8JLN4vWnU4BtkDjSMudd0h8MBTPCMtjT1SM881RffSK Sender: ceph-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org In rbd_obj_read_sync(), verify the number of bytes transferred won't exceed what can be represented by a size_t before using it to indicate the number of bytes to copy to the result buffer. (The real motivation for this is to prepare for the next patch.) Signed-off-by: Alex Elder --- drivers/block/rbd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) page_count = (u32) calc_pages_for(offset, length); @@ -2084,7 +2085,10 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev, ret = obj_request->result; if (ret < 0) goto out; - ret = ceph_copy_from_page_vector(pages, buf, 0, obj_request->xferred); + + rbd_assert(obj_request->xferred <= (u64) SIZE_MAX); + size = (size_t) obj_request->xferred; + ret = ceph_copy_from_page_vector(pages, buf, 0, size); if (version) *version = obj_request->version; out: diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 37361bd..99f1a29 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -2048,6 +2048,7 @@ static int rbd_obj_read_sync(struct rbd_device *rbd_dev, struct ceph_osd_client *osdc; struct page **pages = NULL; u32 page_count; + size_t size; int ret;