| Message ID | 1330956459-8692-2-git-send-email-colin.king@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Mon, Mar 05, 2012 at 02:07:39PM +0000, Colin King wrote: > From: Li Wang <liwang@nudt.edu.cn> > > ecryptfs_write() can enter an infinite loop when truncating a file to a > size larger than 4G. This only happens on architectures where size_t is > represented by 32 bits. > > This was caused by a size_t overflow due to it incorrectly being used to > store the result of a calculation which uses potentially large values of > type loff_t. > > [tyhicks@canonical.com: rewrite subject and commit message] > Signed-off-by: Li Wang <liwang@nudt.edu.cn> > Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn> > Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > Signed-off-by: Colin ian King <colin.king@canonical.com> > (cherry picked from commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34) > --- > fs/ecryptfs/read_write.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c > index 3745f7c..ec3d936 100644 > --- a/fs/ecryptfs/read_write.c > +++ b/fs/ecryptfs/read_write.c > @@ -130,13 +130,13 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, > pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); > size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); > size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); > - size_t total_remaining_bytes = ((offset + size) - pos); > + loff_t total_remaining_bytes = ((offset + size) - pos); > > if (num_bytes > total_remaining_bytes) > num_bytes = total_remaining_bytes; > if (pos < offset) { > /* remaining zeros to write, up to destination offset */ > - size_t total_remaining_zeros = (offset - pos); > + loff_t total_remaining_zeros = (offset - pos); > > if (num_bytes > total_remaining_zeros) > num_bytes = total_remaining_zeros; > -- > 1.7.9 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 05.03.2012 15:07, Colin King wrote: > From: Li Wang <liwang@nudt.edu.cn> > > ecryptfs_write() can enter an infinite loop when truncating a file to a > size larger than 4G. This only happens on architectures where size_t is > represented by 32 bits. > > This was caused by a size_t overflow due to it incorrectly being used to > store the result of a calculation which uses potentially large values of > type loff_t. > > [tyhicks@canonical.com: rewrite subject and commit message] > Signed-off-by: Li Wang <liwang@nudt.edu.cn> > Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn> > Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > Signed-off-by: Colin ian King <colin.king@canonical.com> > (cherry picked from commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34) Maybe better switch around the picked and sob. So picked and then signed off? Probably should have a bug link in there? > --- > fs/ecryptfs/read_write.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c > index 3745f7c..ec3d936 100644 > --- a/fs/ecryptfs/read_write.c > +++ b/fs/ecryptfs/read_write.c > @@ -130,13 +130,13 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, > pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); > size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); > size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); > - size_t total_remaining_bytes = ((offset + size) - pos); > + loff_t total_remaining_bytes = ((offset + size) - pos); > > if (num_bytes > total_remaining_bytes) > num_bytes = total_remaining_bytes; > if (pos < offset) { > /* remaining zeros to write, up to destination offset */ > - size_t total_remaining_zeros = (offset - pos); > + loff_t total_remaining_zeros = (offset - pos); > > if (num_bytes > total_remaining_zeros) > num_bytes = total_remaining_zeros;
diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c index 3745f7c..ec3d936 100644 --- a/fs/ecryptfs/read_write.c +++ b/fs/ecryptfs/read_write.c @@ -130,13 +130,13 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); - size_t total_remaining_bytes = ((offset + size) - pos); + loff_t total_remaining_bytes = ((offset + size) - pos); if (num_bytes > total_remaining_bytes) num_bytes = total_remaining_bytes; if (pos < offset) { /* remaining zeros to write, up to destination offset */ - size_t total_remaining_zeros = (offset - pos); + loff_t total_remaining_zeros = (offset - pos); if (num_bytes > total_remaining_zeros) num_bytes = total_remaining_zeros;