From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Monjalon Subject: Re: [PATCH] mem: fix possible memzone integer overflow Date: Mon, 20 Jun 2016 10:57:59 +0200 Message-ID: <1880209.krCoBmB9j2@xps13> References: <1465927638-71892-1-git-send-email-sergio.gonzalez.monroy@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Cc: dev@dpdk.org To: Sergio Gonzalez Monroy Return-path: Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com [74.125.82.50]) by dpdk.org (Postfix) with ESMTP id BA1438E8B for ; Mon, 20 Jun 2016 10:58:01 +0200 (CEST) Received: by mail-wm0-f50.google.com with SMTP id a66so68427530wme.0 for ; Mon, 20 Jun 2016 01:58:01 -0700 (PDT) In-Reply-To: <1465927638-71892-1-git-send-email-sergio.gonzalez.monroy@intel.com> List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" 2016-06-14 19:07, Sergio Gonzalez Monroy: > It is possible to get an integer overflow if we try to reserve a memzone > with len = 0 (meaning the maximum contiguous space available) and the > maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align). > > Issue reported by Coverity: > > >>> 10. overflow: Subtract operation overflows on operands len and > >>> 64UL. > >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW) > >>> 11. overflow_sink: Overflowed or truncated value (or a value > >>> computed from an overflowed or truncated value) > >>> len - 64UL - align used as return value. > 122 return len - MALLOC_ELEM_OVERHEAD - align; > > Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc") > > Signed-off-by: Sergio Gonzalez Monroy Applied, thanks