From: Dan Carpenter <dan.carpenter@linaro.org>
To: almaz.alexandrovich@paragon-software.com
Cc: ntfs3@lists.linux.dev
Subject: [bug report] fs/ntfs3: Add attrib operations
Date: Tue, 25 Jul 2023 14:45:37 +0300 [thread overview]
Message-ID: <fbbe8988-789f-4837-b3fb-52baa02cebff@moroto.mountain> (raw)
Hello Konstantin Komarov,
The patch be71b5cba2e6: "fs/ntfs3: Add attrib operations" from Aug
13, 2021 (linux-next), leads to the following Smatch static checker
warning:
fs/ntfs3/xattr.c:393 ntfs_set_ea()
warn: integer overflows
fs/ntfs3/xattr.c
301 static noinline int ntfs_set_ea(struct inode *inode, const char *name,
302 size_t name_len, const void *value,
303 size_t val_size, int flags, bool locked,
304 __le16 *ea_size)
305 {
306 struct ntfs_inode *ni = ntfs_i(inode);
307 struct ntfs_sb_info *sbi = ni->mi.sbi;
308 int err;
309 struct EA_INFO ea_info;
310 const struct EA_INFO *info;
311 struct EA_FULL *new_ea;
312 struct EA_FULL *ea_all = NULL;
313 size_t add, new_pack;
314 u32 off, size, ea_sz;
315 __le16 size_pack;
316 struct ATTRIB *attr;
317 struct ATTR_LIST_ENTRY *le;
318 struct mft_inode *mi;
319 struct runs_tree ea_run;
320 u64 new_sz;
321 void *p;
322
323 if (!locked)
324 ni_lock(ni);
325
326 run_init(&ea_run);
327
328 if (name_len > 255) {
329 err = -ENAMETOOLONG;
330 goto out;
331 }
332
333 add = ALIGN(struct_size(ea_all, name, 1 + name_len + val_size), 4);
It's bad to mix struct_size() with any sort of math. Going into it, can
this overflow "1 + name_len + val_size"? And then struct_size() returns
ULONG_MAX if there is an overflow. When you pass that to ALIGN() it
becomes zero.
334
335 err = ntfs_read_ea(ni, &ea_all, add, &info);
336 if (err)
337 goto out;
regards,
dan carpenter
next reply other threads:[~2023-07-25 11:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-25 11:45 Dan Carpenter [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-08-24 9:53 [bug report] fs/ntfs3: Add attrib operations Dan Carpenter
2021-08-24 9:42 Dan Carpenter
2021-08-24 10:49 ` Kari Argillander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fbbe8988-789f-4837-b3fb-52baa02cebff@moroto.mountain \
--to=dan.carpenter@linaro.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=ntfs3@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).