diff options
author | Tim Sell <Timothy.Sell@unisys.com> | 2017-11-17 12:27:38 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-11-28 14:20:50 +0100 |
commit | a5eb2188f5c6cd81eede163157864484fb1d0e64 (patch) | |
tree | 7b35477567ebc46166ee327bf070e95e6b02f9cd /drivers/staging/unisys | |
parent | 1c0c275b11279a8305cf18a453e206d4891bbc48 (diff) |
staging: unisys: visorbus: address theoretical int overflows
Add necessary casting to several places where we were doing 32-bit
arithmetic (unsigned) to produce a 64-bit (unsigned long) result, to
prevent the theoretical possibility of a 32-bit overflow during the
arithmetic.
FYI, these are unsigned long:
ctx->param_bytes
ctx->allocbytes
These are unsigned int:
bytes
phdr->name_offset
phdr->name_length
Here is the test program demonstrating why we really need the casts:
void main()
{
unsigned int i;
unsigned long il;
printf("sizeof(int) =%dn",sizeof(i));
printf("sizeof(long)=%dn",sizeof(il));
i = (unsigned int)((((unsigned long)(1)) << 32) - 1);
printf("i = %un", i);
il = i+1;
printf("adding 1 withOUT cast = %lun", il);
il = (unsigned long)i+1;
printf("adding 1 WITH cast = %lun", il);
}
[selltc@mac tmp]$ gcc x.c -o x.out
[selltc@mac tmp]$ ./x.out
sizeof(int) =4
sizeof(long)=8
i = 4294967295
adding 1 withOUT cast = 0
adding 1 WITH cast = 4294967296
Signed-off-by: Tim Sell <Timothy.Sell@unisys.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Kershner <david.kershner@unisys.com>
Reviewed-by: David Binder <david.binder@unisys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/unisys')
-rw-r--r-- | drivers/staging/unisys/visorbus/visorchipset.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/staging/unisys/visorbus/visorchipset.c b/drivers/staging/unisys/visorbus/visorchipset.c index a3fba96dd167..daff44d7a8c0 100644 --- a/drivers/staging/unisys/visorbus/visorchipset.c +++ b/drivers/staging/unisys/visorbus/visorchipset.c @@ -581,7 +581,8 @@ static void *parser_name_get(struct parser_context *ctx) struct visor_controlvm_parameters_header *phdr; phdr = &ctx->data; - if (phdr->name_offset + phdr->name_length > ctx->param_bytes) + if ((unsigned long)phdr->name_offset + + (unsigned long)phdr->name_length > ctx->param_bytes) return NULL; ctx->curr = (char *)&phdr + phdr->name_offset; ctx->bytes_remaining = phdr->name_length; @@ -1308,13 +1309,13 @@ static void parser_done(struct parser_context *ctx) static struct parser_context *parser_init_stream(u64 addr, u32 bytes, bool *retry) { - int allocbytes; + unsigned long allocbytes; struct parser_context *ctx; void *mapping; *retry = false; /* alloc an extra byte to ensure payload is \0 terminated */ - allocbytes = bytes + 1 + (sizeof(struct parser_context) - + allocbytes = (unsigned long)bytes + 1 + (sizeof(struct parser_context) - sizeof(struct visor_controlvm_parameters_header)); if ((chipset_dev->controlvm_payload_bytes_buffered + bytes) > MAX_CONTROLVM_PAYLOAD_BYTES) { |