* [bug report] libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices
@ 2019-04-24 9:48 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-04-24 9:48 UTC (permalink / raw)
To: dan.j.williams; +Cc: linux-acpi
Hello Dan Williams,
The patch 62232e45f4a2: "libnvdimm: control (ioctl) messages for
nvdimm_bus and nvdimm devices" from Jun 8, 2015, leads to the
following static checker warning:
drivers/acpi/nfit/core.c:611 acpi_nfit_ctl()
error: 'out_size' from user is not capped properly
drivers/acpi/nfit/core.c
594 for (i = 0, offset = 0; i < desc->out_num; i++) {
595 u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
596 (u32 *) out_obj->buffer.pointer,
597 out_obj->buffer.length - offset);
598
599 if (offset + out_size > out_obj->buffer.length) {
^^^^^^^^^^^^^^^^^
It looks like this addition could have an integer overflow bug.
600 dev_dbg(dev, "%s output object underflow cmd: %s field: %d\n",
601 dimm_name, cmd_name, i);
602 break;
603 }
604
605 if (in_buf.buffer.length + offset + out_size > buf_len) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The comments suggest that this is safe. I don't know the code.
606 dev_dbg(dev, "%s output overrun cmd: %s field: %d\n",
607 dimm_name, cmd_name, i);
608 rc = -ENXIO;
609 goto out;
610 }
611 memcpy(buf + in_buf.buffer.length + offset,
612 out_obj->buffer.pointer + offset, out_size);
613 offset += out_size;
614 }
615
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-04-24 9:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-24 9:48 [bug report] libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).