diff mbox series

ceph: fix overflowed constant issue in ceph_do_objects_copy()

Message ID 20250606190545.438240-1-slava@dubeyko.com
State New
Headers show
Series ceph: fix overflowed constant issue in ceph_do_objects_copy() | expand

Commit Message

Viacheslav Dubeyko June 6, 2025, 7:05 p.m. UTC 
From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>

The Coverity Scan service has detected overflowed constant
issue in ceph_do_objects_copy() [1]. The CID 1624308
defect contains explanation: "The overflowed value due to
arithmetic on constants is too small or unexpectedly
negative, causing incorrect computations. Expression bytes,
which is equal to -95, where ret is known to be equal to -95,
underflows the type that receives it, an unsigned integer
64 bits wide. In ceph_do_objects_copy: Integer overflow occurs
in arithmetic on constant operands (CWE-190)".

The patch changes the type of bytes variable from size_t
to ssize_t with the goal of to be capable to receive
negative values.

[1] https://scan5.scan.coverity.com/#/project-view/64304/10063?selectedIssue=1624308

Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
---
 fs/ceph/file.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Alex Markuze June 8, 2025, 3:06 p.m. UTC | #1 
Reviewed by: Alex Markuze <amarkuze@redhat.com>

On Fri, Jun 6, 2025 at 10:05 PM Viacheslav Dubeyko <slava@dubeyko.com> wrote:
>
> From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
>
> The Coverity Scan service has detected overflowed constant
> issue in ceph_do_objects_copy() [1]. The CID 1624308
> defect contains explanation: "The overflowed value due to
> arithmetic on constants is too small or unexpectedly
> negative, causing incorrect computations. Expression bytes,
> which is equal to -95, where ret is known to be equal to -95,
> underflows the type that receives it, an unsigned integer
> 64 bits wide. In ceph_do_objects_copy: Integer overflow occurs
> in arithmetic on constant operands (CWE-190)".
>
> The patch changes the type of bytes variable from size_t
> to ssize_t with the goal of to be capable to receive
> negative values.
>
> [1] https://scan5.scan.coverity.com/#/project-view/64304/10063?selectedIssue=1624308
>
> Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
> ---
>  fs/ceph/file.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index 851d70200c6b..e46ff9cb25c5 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -2883,7 +2883,7 @@ static ssize_t ceph_do_objects_copy(struct ceph_inode_info *src_ci, u64 *src_off
>         struct ceph_object_id src_oid, dst_oid;
>         struct ceph_osd_client *osdc;
>         struct ceph_osd_request *req;
> -       size_t bytes = 0;
> +       ssize_t bytes = 0;
>         u64 src_objnum, src_objoff, dst_objnum, dst_objoff;
>         u32 src_objlen, dst_objlen;
>         u32 object_size = src_ci->i_layout.object_size;
> @@ -2933,7 +2933,7 @@ static ssize_t ceph_do_objects_copy(struct ceph_inode_info *src_ci, u64 *src_off
>                                         "OSDs don't support copy-from2; disabling copy offload\n");
>                         }
>                         doutc(cl, "returned %d\n", ret);
> -                       if (!bytes)
> +                       if (bytes <= 0)
>                                 bytes = ret;
>                         goto out;
>                 }
> --
> 2.49.0
>
diff mbox series

Patch

diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 851d70200c6b..e46ff9cb25c5 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -2883,7 +2883,7 @@  static ssize_t ceph_do_objects_copy(struct ceph_inode_info *src_ci, u64 *src_off
 	struct ceph_object_id src_oid, dst_oid;
 	struct ceph_osd_client *osdc;
 	struct ceph_osd_request *req;
-	size_t bytes = 0;
+	ssize_t bytes = 0;
 	u64 src_objnum, src_objoff, dst_objnum, dst_objoff;
 	u32 src_objlen, dst_objlen;
 	u32 object_size = src_ci->i_layout.object_size;
@@ -2933,7 +2933,7 @@  static ssize_t ceph_do_objects_copy(struct ceph_inode_info *src_ci, u64 *src_off
 					"OSDs don't support copy-from2; disabling copy offload\n");
 			}
 			doutc(cl, "returned %d\n", ret);
-			if (!bytes)
+			if (bytes <= 0)
 				bytes = ret;
 			goto out;
 		}