Hi Tomas, I found some other subtraction between pdu->size and pdu->offset such as: p9pdu_vreadf() --min_t(uint32_t, *count, pdu->size - pdu->offset); p9_check_zc_errors() --len = req->rc->size - req->rc->offset;
I wonder if there are underflow risks? Thanks, Jun On 2018/7/10 3:26, Tomas Bortoli wrote: > The pdu_read() function suffers from an integer underflow. > When pdu->offset is greater than pdu->size, the length calculation will have > a wrong result, resulting in an out-of-bound read. > This patch modifies also pdu_write() in the same way to prevent the same > issue from happening there and for consistency. > > Signed-off-by: Tomas Bortoli <tomasbort...@gmail.com> > Reported-by: syzbot+65c6b72f284a39d41...@syzkaller.appspotmail.com > --- > net/9p/protocol.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/net/9p/protocol.c b/net/9p/protocol.c > index 931ea00c4fed..f1e2425f920b 100644 > --- a/net/9p/protocol.c > +++ b/net/9p/protocol.c > @@ -55,16 +55,20 @@ EXPORT_SYMBOL(p9stat_free); > > size_t pdu_read(struct p9_fcall *pdu, void *data, size_t size) > { > - size_t len = min(pdu->size - pdu->offset, size); > - memcpy(data, &pdu->sdata[pdu->offset], len); > + size_t len = pdu->offset > pdu->size ? 0 : > + min(pdu->size - pdu->offset, size); > + if (len != 0) > + memcpy(data, &pdu->sdata[pdu->offset], len); > pdu->offset += len; > return size - len; > } > > static size_t pdu_write(struct p9_fcall *pdu, const void *data, size_t size) > { > - size_t len = min(pdu->capacity - pdu->size, size); > - memcpy(&pdu->sdata[pdu->size], data, len); > + size_t len = pdu->size > pdu->capacity ? 0 : > + min(pdu->capacity - pdu->size, size); > + if (len != 0) > + memcpy(&pdu->sdata[pdu->size], data, len); > pdu->size += len; > return size - len; > } >