All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: dan.j.williams@intel.com
Cc: linux-acpi@vger.kernel.org
Subject: [bug report] libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices
Date: Wed, 24 Apr 2019 12:48:45 +0300	[thread overview]
Message-ID: <20190424094845.GC15818@mwanda> (raw)

Hello Dan Williams,

The patch 62232e45f4a2: "libnvdimm: control (ioctl) messages for
nvdimm_bus and nvdimm devices" from Jun 8, 2015, leads to the
following static checker warning:

	drivers/acpi/nfit/core.c:611 acpi_nfit_ctl()
	error: 'out_size' from user is not capped properly

drivers/acpi/nfit/core.c
   594          for (i = 0, offset = 0; i < desc->out_num; i++) {
   595                  u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
   596                                  (u32 *) out_obj->buffer.pointer,
   597                                  out_obj->buffer.length - offset);
   598  
   599                  if (offset + out_size > out_obj->buffer.length) {
                            ^^^^^^^^^^^^^^^^^
It looks like this addition could have an integer overflow bug.

   600                          dev_dbg(dev, "%s output object underflow cmd: %s field: %d\n",
   601                                          dimm_name, cmd_name, i);
   602                          break;
   603                  }
   604  
   605                  if (in_buf.buffer.length + offset + out_size > buf_len) {
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The comments suggest that this is safe.  I don't know the code.

   606                          dev_dbg(dev, "%s output overrun cmd: %s field: %d\n",
   607                                          dimm_name, cmd_name, i);
   608                          rc = -ENXIO;
   609                          goto out;
   610                  }
   611                  memcpy(buf + in_buf.buffer.length + offset,
   612                                  out_obj->buffer.pointer + offset, out_size);
   613                  offset += out_size;
   614          }
   615  

regards,
dan carpenter

             reply	other threads:[~2019-04-24  9:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-24  9:48 Dan Carpenter [this message]
  -- strict thread matches above, loose matches on Subject: below --
2017-07-27 15:14 [bug report] libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190424094845.GC15818@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=dan.j.williams@intel.com \
    --cc=linux-acpi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.