Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1711915rwb; Thu, 29 Sep 2022 00:48:31 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4OFKCwHSQc/pKM9poXTNyrA2IgP1FDNbbC80Q9LDK/YVK3DZCHEKXTR3f+KOcm6ucEnrY4 X-Received: by 2002:a17:90b:4a50:b0:203:1204:5bc4 with SMTP id lb16-20020a17090b4a5000b0020312045bc4mr15023149pjb.79.1664437711531; Thu, 29 Sep 2022 00:48:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664437711; cv=none; d=google.com; s=arc-20160816; b=S/HVpSiLhg64v7uxIj/FykGL61l8K1X2zH08BBf9JLtJNJEDxuO0kM8ytPGsN7Uqzf exBiy2ltA1IhiadS5onptNbot7euaZzr3xtqMIdwjgxtmMjjPpSFvy5eOF2rEOBSgdBL wtDA9kts/i1Tkf9nbLoQPmyjEsxs/RGqAJDgPtbRE7pHUQc8+gZrjHYuA6kPTGwaB0yv vFNxh8Xv+0lreQ/x6BCZVi2E3Zb7nly25Htl1e1/4OGGsDo0CohEXLchkx39z4BA5T8A P4ntYIk0QKnyqwYHIQ15+vbMLkFqXMoW6aCW2Eul/bgkHIEcEvmeRHkJcHdKE15dIqtD 42jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=XO1ex9C9U1icSdH3O501vzecc3w41SAOHPi+jM7r1ck=; b=owF3XfBHyFtIla4AvsxaD/YKWxgfljcJq18oYbQCy9rvDC7d688UR+NbH2gmckAjwT DuvoRNi55XqZX1AO7h/Oz0T4BtDnkb8eJAQED+dx1VRP/Hk3ZoafzzaU4LUYvfPOLmpR nDfsmRQP6pQYi3auqd+0TeLKI/vf1LX0DIvDfot6qwBnYU4SrpvpuOSYV/gh76DFaVfs VSM15UQ66kbYlz9B/iguAMiN8DyqcV7HkuZQzDYF/xDrtY/Av5y24iqHl0ix4wYrxFcZ HuFbkiWEEREJ/uk2dSwUEmi0w/8LZCr4UG01ScQ8irQxm1PLgBU8wTb2kCNUgHnTMMJS E9eA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y16-20020a17090322d000b00176d229eddasi8592183plg.70.2022.09.29.00.48.18; Thu, 29 Sep 2022 00:48:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234801AbiI2HDr (ORCPT + 99 others); Thu, 29 Sep 2022 03:03:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235033AbiI2HDA (ORCPT ); Thu, 29 Sep 2022 03:03:00 -0400 Received: from mail.nfschina.com (unknown [124.16.136.209]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4A5BB5004D; Thu, 29 Sep 2022 00:02:53 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by mail.nfschina.com (Postfix) with ESMTP id 994891E80CAB; Thu, 29 Sep 2022 14:58:24 +0800 (CST) X-Virus-Scanned: amavisd-new at test.com Received: from mail.nfschina.com ([127.0.0.1]) by localhost (mail.nfschina.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gaVU_ioiiltU; Thu, 29 Sep 2022 14:58:21 +0800 (CST) Received: from [172.30.38.107] (unknown [180.167.10.98]) (Authenticated sender: yuzhe@nfschina.com) by mail.nfschina.com (Postfix) with ESMTPA id 5B9AB1E80C7C; Thu, 29 Sep 2022 14:58:21 +0800 (CST) Subject: Re: [PATCH] cxl/pmem: Use size_add() against integer overflow To: Ira Weiny Cc: "Schofield, Alison" , "Verma, Vishal L" , "bwidawsk@kernel.org" , "Williams, Dan J" , "linux-cxl@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "liqiong@nfschina.com" , "kernel-janitors@vger.kernel.org" References: <20220927070247.23148-1-yuzhe@nfschina.com> From: Yu Zhe Message-ID: Date: Thu, 29 Sep 2022 15:02:47 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2022年09月28日 00:23, Ira Weiny 写道: > On Tue, Sep 27, 2022 at 12:02:47AM -0700, Yu Zhe wrote: >> "struct_size() + n" may cause a integer overflow, >> use size_add() to handle it. >> >> Signed-off-by: Yu Zhe >> --- >> drivers/cxl/pmem.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/cxl/pmem.c b/drivers/cxl/pmem.c >> index 7dc0a2fa1a6b..8c08aa009a56 100644 >> --- a/drivers/cxl/pmem.c >> +++ b/drivers/cxl/pmem.c >> @@ -148,7 +148,7 @@ static int cxl_pmem_set_config_data(struct cxl_dev_state *cxlds, >> return -EINVAL; >> >> /* 4-byte status follows the input data in the payload */ >> - if (struct_size(cmd, in_buf, cmd->in_length) + 4 > buf_len) >> + if (size_add(struct_size(cmd, in_buf, cmd->in_length), 4) > buf_len) > I don't see any benefit here. > > struct_size() calls __ab_c_size() which already calls check_add_overflow()? So > why wrap that in another check? "struct_size() + 4" still might cause overflow, so there need to use "size_add" to check it. > Were you able to get this to fail with some user input? > > Ira > >> return -EINVAL; >> >> set_lsa = >> -- >> 2.11.0 >> >>