| Message ID | 20200615214718.GA6970@embeddedor (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | scsi: megaraid_sas: Use array_size() helper | expand |
On Mon, 2020-06-15 at 16:47 -0500, Gustavo A. R. Silva wrote: > The get_order() function has no 2-factor argument form, so > multiplication > factors need to be wrapped in array_size(). > > This issue was found with the help of Coccinelle and, audited and > fixed > manually. > > Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83 > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> > --- > drivers/scsi/megaraid/megaraid_sas_fusion.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c > b/drivers/scsi/megaraid/megaraid_sas_fusion.c > index 319f241da4b6..6de44ed4cde7 100644 > --- a/drivers/scsi/megaraid/megaraid_sas_fusion.c > +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c > @@ -5180,8 +5180,8 @@ megasas_alloc_fusion_context(struct > megasas_instance *instance) > > fusion = instance->ctrl_context; > > - fusion->log_to_span_pages = get_order(MAX_LOGICAL_DRIVES_EXT > * > - sizeof(LD_SPAN_INFO)); > + fusion->log_to_span_pages = > get_order(array_size(MAX_LOGICAL_DRIVES_EXT, > + sizeof(LD_SPAN_INFO))) > ; What's the point of this? You're replacing a constant multiplication the compiler can compute with one it can't on the theory there might be an overflow, which is pretty far fetched given MAX_LOGICAL_DRIVES_EXT is 256 and sizeof(LD_SPAN_INFO) is around 82. I thought the whole point of overflow detection was to use it for instances where we could be tricked into triggering one by userspace which may result in a buffer under or overflow ... this is two constants, how could this ever be a source of an exploit? James
diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c index 319f241da4b6..6de44ed4cde7 100644 --- a/drivers/scsi/megaraid/megaraid_sas_fusion.c +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c @@ -5180,8 +5180,8 @@ megasas_alloc_fusion_context(struct megasas_instance *instance) fusion = instance->ctrl_context; - fusion->log_to_span_pages = get_order(MAX_LOGICAL_DRIVES_EXT * - sizeof(LD_SPAN_INFO)); + fusion->log_to_span_pages = get_order(array_size(MAX_LOGICAL_DRIVES_EXT, + sizeof(LD_SPAN_INFO))); fusion->log_to_span = (PLD_SPAN_INFO)__get_free_pages(GFP_KERNEL | __GFP_ZERO, fusion->log_to_span_pages); @@ -5196,8 +5196,8 @@ megasas_alloc_fusion_context(struct megasas_instance *instance) } } - fusion->load_balance_info_pages = get_order(MAX_LOGICAL_DRIVES_EXT * - sizeof(struct LD_LOAD_BALANCE_INFO)); + fusion->load_balance_info_pages = get_order(array_size(MAX_LOGICAL_DRIVES_EXT, + sizeof(struct LD_LOAD_BALANCE_INFO))); fusion->load_balance_info = (struct LD_LOAD_BALANCE_INFO *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, fusion->load_balance_info_pages);
The get_order() function has no 2-factor argument form, so multiplication factors need to be wrapped in array_size(). This issue was found with the help of Coccinelle and, audited and fixed manually. Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- drivers/scsi/megaraid/megaraid_sas_fusion.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)