[U-Boot] [PATCH] fs: ext4: Fix journal overrun issue reported by Coverity
While &p_jdb[fs->blksz] is a valid expression (it points *one* char sized element past the end of the array, e.g. &p_jdb[fs->blksz + 1] is invalid (according to the C standard (C99/C11)).
Changing this to tag = (struct ext3_journal_block_tag *)(p_jdb + ofs);
Cc: Stefan Brüns stefan.bruens@rwth-aachen.de Suggested-by: Stefan Brüns stefan.bruens@rwth-aachen.de Reported-by: Coverity (CID: 165117, 165110) Signed-off-by: Tom Rini trini@konsulko.com --- Stefan, since this is your suggestion and message, if you want me to v2 with you as Author, I'd be quite happy to, thanks again! --- fs/ext4/ext4_journal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/ext4_journal.c b/fs/ext4/ext4_journal.c index 5a25be4c8ac2..fed6287eac45 100644 --- a/fs/ext4/ext4_journal.c +++ b/fs/ext4/ext4_journal.c @@ -355,7 +355,7 @@ void recover_transaction(int prev_desc_logical_no) ofs = sizeof(struct journal_header_t);
do { - tag = (struct ext3_journal_block_tag *)&p_jdb[ofs]; + tag = (struct ext3_journal_block_tag *)(p_jdb + ofs); ofs += sizeof(struct ext3_journal_block_tag);
if (ofs > fs->blksz) @@ -466,7 +466,7 @@ int ext4fs_check_journal_state(int recovery_flag) ofs = sizeof(struct journal_header_t); do { tag = (struct ext3_journal_block_tag *) - &p_jdb[ofs]; + (p_jdb + ofs); ofs += sizeof(struct ext3_journal_block_tag); if (ofs > fs->blksz) break;
On Montag, 21. August 2017 04:30:15 CEST Tom Rini wrote:
While &p_jdb[fs->blksz] is a valid expression (it points *one* char sized element past the end of the array, e.g. &p_jdb[fs->blksz + 1] is invalid (according to the C standard (C99/C11)).
Changing this to tag = (struct ext3_journal_block_tag *)(p_jdb + ofs);
Cc: Stefan Brüns stefan.bruens@rwth-aachen.de Suggested-by: Stefan Brüns stefan.bruens@rwth-aachen.de Reported-by: Coverity (CID: 165117, 165110) Signed-off-by: Tom Rini trini@konsulko.com
Stefan, since this is your suggestion and message, if you want me to v2 with you as Author, I'd be quite happy to, thanks again!
Hi Tom,
whatever you like, both is fine with me.
Kind regards,
Stefan
PS: Reviewed-by: Stefan Brüns stefan.bruens@rwth-aachen.de
fs/ext4/ext4_journal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/ext4_journal.c b/fs/ext4/ext4_journal.c index 5a25be4c8ac2..fed6287eac45 100644 --- a/fs/ext4/ext4_journal.c +++ b/fs/ext4/ext4_journal.c @@ -355,7 +355,7 @@ void recover_transaction(int prev_desc_logical_no) ofs = sizeof(struct journal_header_t);
do {
tag = (struct ext3_journal_block_tag *)&p_jdb[ofs];
tag = (struct ext3_journal_block_tag *)(p_jdb + ofs);ofs += sizeof(struct ext3_journal_block_tag);
if (ofs > fs->blksz)
@@ -466,7 +466,7 @@ int ext4fs_check_journal_state(int recovery_flag) ofs = sizeof(struct journal_header_t); do { tag = (struct ext3_journal_block_tag *)
&p_jdb[ofs];
(p_jdb + ofs); ofs += sizeof(struct ext3_journal_block_tag); if (ofs > fs->blksz) break;
On Sun, Aug 20, 2017 at 10:30:15PM -0400, Tom Rini wrote:
While &p_jdb[fs->blksz] is a valid expression (it points *one* char sized element past the end of the array, e.g. &p_jdb[fs->blksz + 1] is invalid (according to the C standard (C99/C11)).
Changing this to tag = (struct ext3_journal_block_tag *)(p_jdb + ofs);
Cc: Stefan Brüns stefan.bruens@rwth-aachen.de Suggested-by: Stefan Brüns stefan.bruens@rwth-aachen.de Reported-by: Coverity (CID: 165117, 165110) Signed-off-by: Tom Rini trini@konsulko.com Reviewed-by: Stefan Brüns stefan.bruens@rwth-aachen.de
Applied to u-boot/master, thanks!
participants (2)
-
Brüns, Stefan -
Tom Rini