Re: [PATCH v2] NFSv4: prevent integer overflow while calling nfs4_set_lease_period()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/2/25 7:47 PM, Sergey Shtylyov wrote:
[...]

>> The nfs_client::cl_lease_time field (as well as the jiffies variable it's
>> used with) is declared as *unsigned long*, which is 32-bit type on 32-bit
>> arches and 64-bit type on 64-bit arches. When nfs4_set_lease_period() that
>> sets nfs_client::cl_lease_time is called, 32-bit nfs_fsinfo::lease_time
>> field is multiplied by HZ -- that might overflow before being implicitly
>> cast to *unsigned long*. Actually, there's no need to multiply by HZ at all
>> the call sites of nfs4_set_lease_period() -- it makes more sense to do that
>> once, inside that function, calling check_mul_overflow() and capping result
>> at ULONG_MAX on actual overflow...
>>
>> Found by Linux Verification Center (linuxtesting.org) with the Svace static
>> analysis tool.
>>
>> Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
>> Cc: stable@xxxxxxxxxxxxxxx
>>
>> ---
>> The patch is against the master branch of Trond Myklebust's linux-nfs.git repo.
>>
>> Changes in version 2:
>> - made use of check_mul_overflow() instead of mul_u32_u32();
>> - capped the multiplication result at ULONG_MAX instead of returning -ERANGE,
>>   keeping nfs4_set_lease_period() *void*;
>> - rewrote the patch description accordingly.
> 
>    Forgot to say that I had to adjust the patch description to make it clear
> that the overflow happens on 64-bit arches as well...

   Gentle ping!
   Anna, do you agree with this approach?

> [...]

MBR, Sergey





[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux