ceph: fix possible integer overflow in ceph_zero_objects()

Message ID	20250422093206.1228087-1-d.kandybka@gmail.com
State	New
Headers	show Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BB76202C5C for <ceph-devel@vger.kernel.org>; Tue, 22 Apr 2025 09:32:10 +0000 (UTC) From: Dmitry Kandybka <d.kandybka@gmail.com> To: Xiubo Li <xiubli@redhat.com> Cc: Ilya Dryomov <idryomov@gmail.com>, ceph-devel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] ceph: fix possible integer overflow in ceph_zero_objects() Date: Tue, 22 Apr 2025 12:32:04 +0300 Message-ID: <20250422093206.1228087-1-d.kandybka@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	ceph: fix possible integer overflow in ceph_zero_objects() \| expand ceph: fix possible integer overflow in ceph_zero_objects()

Message ID

20250422093206.1228087-1-d.kandybka@gmail.com

State

New

Headers

From: Dmitry Kandybka <d.kandybka@gmail.com>
To: Xiubo Li <xiubli@redhat.com>
Cc: Ilya Dryomov <idryomov@gmail.com>,
	ceph-devel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH] ceph: fix possible integer overflow in ceph_zero_objects()
Date: Tue, 22 Apr 2025 12:32:04 +0300
Message-ID: <20250422093206.1228087-1-d.kandybka@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

ceph: fix possible integer overflow in ceph_zero_objects() | expand

Commit Message

Dmitry Kandybka April 22, 2025, 9:32 a.m. UTC

In 'ceph_zero_objects', promote 'object_size' to 'u64' to avoid possible
integer overflow.
Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
---
 fs/ceph/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Viacheslav Dubeyko April 22, 2025, 6:25 p.m. UTC | #1

On Tue, 2025-04-22 at 12:32 +0300, Dmitry Kandybka wrote:
> In 'ceph_zero_objects', promote 'object_size' to 'u64' to avoid possible
> integer overflow.
> Compile tested only.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
> ---
>  fs/ceph/file.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index 851d70200c6b..a7254cab44cc 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -2616,7 +2616,7 @@ static int ceph_zero_objects(struct inode *inode, loff_t offset, loff_t length)
>  	s32 stripe_unit = ci->i_layout.stripe_unit;
>  	s32 stripe_count = ci->i_layout.stripe_count;
>  	s32 object_size = ci->i_layout.object_size;

Frankly speaking, I don't quite follow why we are using signed type here (s32).
As object size as stripe count should be positive value always.

> -	u64 object_set_size = object_size * stripe_count;
> +	u64 object_set_size = (u64) object_size * stripe_count;
>  	u64 nearly, t;
>  
>  	/* round offset up to next period boundary */

Looks good.

Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>

Thanks,
Slava.

diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 851d70200c6b..a7254cab44cc 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -2616,7 +2616,7 @@  static int ceph_zero_objects(struct inode *inode, loff_t offset, loff_t length)
 	s32 stripe_unit = ci->i_layout.stripe_unit;
 	s32 stripe_count = ci->i_layout.stripe_count;
 	s32 object_size = ci->i_layout.object_size;
-	u64 object_set_size = object_size * stripe_count;
+	u64 object_set_size = (u64) object_size * stripe_count;
 	u64 nearly, t;
 
 	/* round offset up to next period boundary */

ceph: fix possible integer overflow in ceph_zero_objects()

Commit Message

Comments

Patch