| Message ID | 20190821071122.GD26957@mwanda (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 6123f1fe53985645992b2ff648b3087b77b3ed16 |
| Headers | show |
| Series | [1/4] misc: xilinx_sdfec: Fix a couple small information leaks | expand |
On 21. 08. 19 9:11, Dan Carpenter wrote: > The checking here needs to handle integer overflows because "offset" and > "len" come from the user. > > Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/misc/xilinx_sdfec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c > index 3fc53d20abf3..0bf3bcc8e1ef 100644 > --- a/drivers/misc/xilinx_sdfec.c > +++ b/drivers/misc/xilinx_sdfec.c > @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset, > * Writes that go beyond the length of > * Shared Scale(SC) table should fail > */ > - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) { > + if (offset > depth / XSDFEC_REG_WIDTH_JUMP || > + len > depth / XSDFEC_REG_WIDTH_JUMP || > + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) { > dev_dbg(xsdfec->dev, "Write exceeds SC table length"); > return -EINVAL; > } > Reviewed-by: Michal Simek <michal.simek@xilinx.com> Thanks, Michal
Hi Dan, > -----Original Message----- > From: Dan Carpenter [mailto:dan.carpenter@oracle.com] > Sent: Wednesday 21 August 2019 08:11 > To: Derek Kiernan <dkiernan@xilinx.com>; Dragan Cvetic <draganc@xilinx.com> > Cc: Arnd Bergmann <arnd@arndb.de>; Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Michal Simek <michals@xilinx.com>; > linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org > Subject: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() > > The checking here needs to handle integer overflows because "offset" and > "len" come from the user. Good catch, thanks. > > Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/misc/xilinx_sdfec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c > index 3fc53d20abf3..0bf3bcc8e1ef 100644 > --- a/drivers/misc/xilinx_sdfec.c > +++ b/drivers/misc/xilinx_sdfec.c > @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset, > * Writes that go beyond the length of > * Shared Scale(SC) table should fail > */ > - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) { > + if (offset > depth / XSDFEC_REG_WIDTH_JUMP || > + len > depth / XSDFEC_REG_WIDTH_JUMP || > + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) { > dev_dbg(xsdfec->dev, "Write exceeds SC table length"); > return -EINVAL; > } > -- > 2.20.1 Reviewed-by: Dragan Cvetic <dragan.cvetic@xilinx.com> Thanks Dragan
diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c index 3fc53d20abf3..0bf3bcc8e1ef 100644 --- a/drivers/misc/xilinx_sdfec.c +++ b/drivers/misc/xilinx_sdfec.c @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset, * Writes that go beyond the length of * Shared Scale(SC) table should fail */ - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) { + if (offset > depth / XSDFEC_REG_WIDTH_JUMP || + len > depth / XSDFEC_REG_WIDTH_JUMP || + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) { dev_dbg(xsdfec->dev, "Write exceeds SC table length"); return -EINVAL; }
The checking here needs to handle integer overflows because "offset" and "len" come from the user. Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/misc/xilinx_sdfec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)