diff mbox series

[net] ptp: fix integer overflow in max_vclocks_store

Message ID d094ecbe-8b14-45cc-8cd8-f70fdeca55d8@moroto.mountain (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] ptp: fix integer overflow in max_vclocks_store | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 859 this patch: 859
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 3 of 3 maintainers
netdev/build_clang success Errors and warnings before: 863 this patch: 863
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 863 this patch: 863
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-06-16--18-00 (tests: 659)

Commit Message

Dan Carpenter June 14, 2024, 5:31 p.m. UTC 
On 32bit systems, the "4 * max" multiply can overflow.  Use size_mul()
to fix this.

Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/ptp/ptp_sysfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Christophe JAILLET June 15, 2024, 7:05 a.m. UTC | #1 
Le 14/06/2024 à 19:31, Dan Carpenter a écrit :
> On 32bit systems, the "4 * max" multiply can overflow.  Use size_mul()
> to fix this.
> 
> Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>   drivers/ptp/ptp_sysfs.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
> index a15460aaa03b..bc1562fcd6c9 100644
> --- a/drivers/ptp/ptp_sysfs.c
> +++ b/drivers/ptp/ptp_sysfs.c
> @@ -296,7 +296,7 @@ static ssize_t max_vclocks_store(struct device *dev,
>   	if (max < ptp->n_vclocks)
>   		goto out;
>   
> -	size = sizeof(int) * max;
> +	size = size_mul(sizeof(int), max);
>   	vclock_index = kzalloc(size, GFP_KERNEL);

kcalloc() maybe?

>   	if (!vclock_index) {
>   		err = -ENOMEM;


Unrelated but, a few lines above, should the:
	if (max == ptp->max_vclocks)
		return count;

be after:
	if (mutex_lock_interruptible(&ptp->n_vclocks_mux))
		return -ERESTARTSYS;

as done in n_vclocks_store()?

CJ
Dan Carpenter June 17, 2024, 6:01 a.m. UTC | #2 
On Sat, Jun 15, 2024 at 09:05:56AM +0200, Christophe JAILLET wrote:
> Le 14/06/2024 à 19:31, Dan Carpenter a écrit :
> > On 32bit systems, the "4 * max" multiply can overflow.  Use size_mul()
> > to fix this.
> > 
> > Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information")
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> > ---
> >   drivers/ptp/ptp_sysfs.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
> > index a15460aaa03b..bc1562fcd6c9 100644
> > --- a/drivers/ptp/ptp_sysfs.c
> > +++ b/drivers/ptp/ptp_sysfs.c
> > @@ -296,7 +296,7 @@ static ssize_t max_vclocks_store(struct device *dev,
> >   	if (max < ptp->n_vclocks)
> >   		goto out;
> > -	size = sizeof(int) * max;
> > +	size = size_mul(sizeof(int), max);
> >   	vclock_index = kzalloc(size, GFP_KERNEL);
> 
> kcalloc() maybe?
> 

Fair enough.  I'll resend.

> >   	if (!vclock_index) {
> >   		err = -ENOMEM;
> 
> 
> Unrelated but, a few lines above, should the:
> 	if (max == ptp->max_vclocks)
> 		return count;
> 
> be after:
> 	if (mutex_lock_interruptible(&ptp->n_vclocks_mux))
> 		return -ERESTARTSYS;
> 
> as done in n_vclocks_store()?

The code is probably better as is.  This is a short cut path.  We
sometimes see this pattern on fast paths where we test to see if we can
skip everything, then we test again underlock if the test is really
essential.  Here if max == ptp->max_vclocks then the whole function is
very complicated no-op so it's not necessary to retest under the lock.

Meanwhile the essential "if (max < ptp->n_vclocks)" check is done under
lock.  So it works and it feels like someone put some thought into it.

regards,
dan carpenter
diff mbox series

Patch

diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
index a15460aaa03b..bc1562fcd6c9 100644
--- a/drivers/ptp/ptp_sysfs.c
+++ b/drivers/ptp/ptp_sysfs.c
@@ -296,7 +296,7 @@  static ssize_t max_vclocks_store(struct device *dev,
 	if (max < ptp->n_vclocks)
 		goto out;
 
-	size = sizeof(int) * max;
+	size = size_mul(sizeof(int), max);
 	vclock_index = kzalloc(size, GFP_KERNEL);
 	if (!vclock_index) {
 		err = -ENOMEM;