[2/4] fs: btrfs: volumes: prevent overflow for multiplying

Message ID	20201031010752.23974-3-wqu@suse.com
State	Accepted
Commit	3b72612ad191cad29aad3982221ff3355bec798d
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Qu Wenruo <wqu@suse.com> To: u-boot@lists.denx.de Subject: [PATCH 2/4] fs: btrfs: volumes: prevent overflow for multiplying Date: Sat, 31 Oct 2020 09:07:50 +0800 Message-Id: <20201031010752.23974-3-wqu@suse.com> In-Reply-To: <20201031010752.23974-1-wqu@suse.com> References: <20201031010752.23974-1-wqu@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	fs: btrfs: coverity fixes \| expand [0/4] fs: btrfs: coverity fixes [1/4] fs: btrfs: inode: handle uninitialized type before returning it [2/4] fs: btrfs: volumes: prevent overflow for multiplying [3/4] fs: btrfs: initialize @ret to 0 to prevent uninitialized return value [4/4] fs: btrfs: initialize @ii in show_dir() to make coverity happy

Message ID

20201031010752.23974-3-wqu@suse.com

State

Accepted

Commit

3b72612ad191cad29aad3982221ff3355bec798d

Delegated to:

Tom Rini

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=pass (p=none dis=none) header.from=suse.com
Authentication-Results: ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=suse.com header.i=@suse.com header.a=rsa-sha256
 header.s=susede1 header.b=JOEPCuyr;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4CNLfB3Zt3z9sPB
	for <incoming@patchwork.ozlabs.org>; Sat, 31 Oct 2020 12:08:34 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id E4995825E7;
	Sat, 31 Oct 2020 02:08:13 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=suse.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=suse.com header.i=@suse.com header.b="JOEPCuyr";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 48B35825D5; Sat, 31 Oct 2020 02:08:08 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
 SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no
 version=3.4.2
Received: from mx2.suse.de (mx2.suse.de [195.135.220.15])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 5AC0B825D3
 for <u-boot@lists.denx.de>; Sat, 31 Oct 2020 02:08:05 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=suse.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=wqu@suse.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
 t=1604106485;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=HH8lQ1akO26njnlT3zR7xsFobDL35WMXPpLNM0yKvRs=;
 b=JOEPCuyrHRb03Cnmt1SFUYaQYlh79nmRFEwj6R0wYqbdn42v9tZV0vM0t0emjXbDNBdai7
 iRYualx8y9bB9kQKgq3dQM9QmnylCRQ791fYKjGEMWzoVCxXnwDv+QVHxaKSzGRhDcuQNn
 92Rn8uR4sfAvgp1wIMuXKWrh2YJUvqc=
Received: from relay2.suse.de (unknown [195.135.221.27])
 by mx2.suse.de (Postfix) with ESMTP id 1B12FAC1D
 for <u-boot@lists.denx.de>; Sat, 31 Oct 2020 01:08:05 +0000 (UTC)
From: Qu Wenruo <wqu@suse.com>
To: u-boot@lists.denx.de
Subject: [PATCH 2/4] fs: btrfs: volumes: prevent overflow for multiplying
Date: Sat, 31 Oct 2020 09:07:50 +0800
Message-Id: <20201031010752.23974-3-wqu@suse.com>
X-Mailer: git-send-email 2.29.1
In-Reply-To: <20201031010752.23974-1-wqu@suse.com>
References: <20201031010752.23974-1-wqu@suse.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de
X-Virus-Status: Clean

Series

fs: btrfs: coverity fixes | expand

Commit Message

Qu Wenruo Oct. 31, 2020, 1:07 a.m. UTC

In __btrfs_map_block() we do a int * int and assign it to u64.
This is not safe as the result (int * int) is still evaluated as (int)
thus it can overflow.

Convert one of the multiplier to u64 to prevent such problem.

In real world, this should not cause problem as we have device number
limit thus it won't go beyond 4G for a single stripe.

But it's harder to teach coverity about all these hidden limits, so just
fix the possible overflow.

Reported-by: Coverity CID 312957
Reported-by: Coverity CID 312948
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
 fs/btrfs/volumes.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Marek Behún Nov. 1, 2020, 11:02 p.m. UTC | #1

On Sat, 31 Oct 2020 09:07:50 +0800
Qu Wenruo <wqu@suse.com> wrote:

> In real world, this should not cause problem as we have device number
> limit thus it won't go beyond 4G for a single stripe.

So we can't run into this overflow in U-Boot because only one device is
supported? But in Linux we can run into this issue?

Qu Wenruo Nov. 2, 2020, 12:20 a.m. UTC | #2

On 2020/11/2 上午7:02, Marek Behun wrote:
> On Sat, 31 Oct 2020 09:07:50 +0800
> Qu Wenruo <wqu@suse.com> wrote:
> 
>> In real world, this should not cause problem as we have device number
>> limit thus it won't go beyond 4G for a single stripe.
> 
> So we can't run into this overflow in U-Boot because only one device is
> supported? But in Linux we can run into this issue?
> 
In kernel, we have device number check, IIRC for default nodesize is
just several donzens of devices.
And since each stripe is only 64K fixed in btrfs, you can see it won't
go beyond 4G even in kernel.

Thanks,
Qu

Qu Wenruo Nov. 2, 2020, 1:06 a.m. UTC | #3

On 2020/11/2 上午8:20, Qu Wenruo wrote:
> 
> 
> On 2020/11/2 上午7:02, Marek Behun wrote:
>> On Sat, 31 Oct 2020 09:07:50 +0800
>> Qu Wenruo <wqu@suse.com> wrote:
>>
>>> In real world, this should not cause problem as we have device number
>>> limit thus it won't go beyond 4G for a single stripe.
>>
>> So we can't run into this overflow in U-Boot because only one device is
>> supported? But in Linux we can run into this issue?
>>
> In kernel, we have device number check, IIRC for default nodesize is
> just several donzens of devices.
> And since each stripe is only 64K fixed in btrfs, you can see it won't
> go beyond 4G even in kernel.

Sorry, the 64K stripe_len is only for RAID56, and for kernel, we always
use u64 for stripe_len, thus we won't hit the problem.

The problem is in btrfs-progs, where the code comes from, we use int,
other than u64.

Thanks for the hint for the root cause, would related values to be u64
for both btrfs-progs and u-boot to follow the kernel scheme.

Thanks,
Qu
> 
> Thanks,
> Qu
>

Tom Rini Jan. 20, 2021, 9:46 p.m. UTC | #4

On Sat, Oct 31, 2020 at 09:07:50AM +0800, Qu Wenruo wrote:

> In __btrfs_map_block() we do a int * int and assign it to u64.
> This is not safe as the result (int * int) is still evaluated as (int)
> thus it can overflow.
> 
> Convert one of the multiplier to u64 to prevent such problem.
> 
> In real world, this should not cause problem as we have device number
> limit thus it won't go beyond 4G for a single stripe.
> 
> But it's harder to teach coverity about all these hidden limits, so just
> fix the possible overflow.
> 
> Reported-by: Coverity CID 312957
> Reported-by: Coverity CID 312948
> Signed-off-by: Qu Wenruo <wqu@suse.com>

Applied to u-boot/master, thanks!

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index fcf52d4b0ff3..4aaaeab663f5 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1030,7 +1030,7 @@  again:
 	 */
 	stripe_nr = stripe_nr / map->stripe_len;
 
-	stripe_offset = stripe_nr * map->stripe_len;
+	stripe_offset = stripe_nr * (u64)map->stripe_len;
 	BUG_ON(offset < stripe_offset);
 
 	/* stripe_offset is the offset of this block in its stripe*/
@@ -1103,7 +1103,7 @@  again:
 			rot = stripe_nr % map->num_stripes;
 
 			/* Fill in the logical address of each stripe */
-			tmp = stripe_nr * nr_data_stripes(map);
+			tmp = (u64)stripe_nr * nr_data_stripes(map);
 
 			for (i = 0; i < nr_data_stripes(map); i++)
 				raid_map[(i+rot) % map->num_stripes] =

[2/4] fs: btrfs: volumes: prevent overflow for multiplying

Commit Message

Comments

Patch