Feature #7339
closed
Restrict values of parameter of write callback of file operations
Added by Evgeny Novikov about 8 years ago.
Updated almost 8 years ago.
Category:
Environment models
Published in build:
d382669
Description
In 0f6ff65ed8d3 ZERO_SIZE_PTR (returned by kmalloc called with the 0 size) was avoided by early rejecting the 0 value of the cnt parameter that is passed later as a first kmalloc parameter.
If theoretically that parameter can be huge, adding 1 to it can result in overflow and again to call of kmalloc with 0 (CPAchecker with bit precise analysis could detect that). Indeed its values are limited by the kernel in rw_verify_area called by vfs_write (that is called in system call) prior to the write operation of file operations.
That's why we need to restrict values of parameter of write callback of file operations.
Thanks to Pavel, Vadim, Anton and Ilja for understanding this issue.
Related issues
1 (1 open — 0 closed)
- Priority changed from High to Urgent
1. count should be not more than MAX_RW_COUNT, expanding to MAX_INT - PAGE_SIZE
557 if (count > MAX_RW_COUNT)
558 count = MAX_RW_COUNT;
2. count should be >=0
- Assignee set to Ilja Zakharov
As far as I know Ilja took care about this feature now.
- Status changed from New to Resolved
Implemented in branch 'emg-fo-spec'.
This branch contains new specification for file operations (it was modelled by a pattern before) and a bug fix. Since the used functionality (parameter restrictions) has been used first time I have found a minor bug and a complicated bug. A minor bug I have fixed in the branch and for the complicated bug the issue has been opened (#7472). By the way it is not critical and can be avoided by a properly written specification.
After all fixes false positives are gone and we have proper transition unsafe->safe now before and after the mentioned commit.
- Status changed from Resolved to Closed
- Published in build set to d382669
Great! We almost reached the milestone (we will really reach it when we will return back one missed target bug).
I merged the branch to master in d382669.
Also available in: Atom
PDF