From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Joern Engel <joern@lazybastard.org>,
yangerkun <yangerkun@huawei.com>,
Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd@lists.infradead.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] mtd: phram: Prevent divide by zero bug in phram_setup()
Date: Fri, 21 Jan 2022 12:17:48 +0100 [thread overview]
Message-ID: <20220121121748.24e98015@xps13> (raw)
In-Reply-To: <20220121053836.GA27293@kili>
Hi Dan,
dan.carpenter@oracle.com wrote on Fri, 21 Jan 2022 08:38:36 +0300:
> The problem is that "erasesize" is a uint32_t type so it might be
Don't you mean uint64_t here? Otherwise I don't get the sentence.
> non-zero but the truncated "(uint32_t)erasesize" value *is* zero. That
s/*is*/*can* be/ ? (again, if my understanding is correct).
> would lead to the divide by zero bug.
>
> Avoid the bug by delaying the divide until after we have validated
> that "erasesize" is reasonable.
I don't really get the fix. If "erasesize" is big enough, then
(uint32_t)erasesize can however be zero. But checking if erasesize is
zero beforehands does not fix the situation. Or am I missing
something?
> Fixes: dc2b3e5cbc80 ("mtd: phram: use div_u64_rem to stop overwrite len in phram_setup")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/mtd/devices/phram.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
> index 6ed6c51fac69..d503821a3e60 100644
> --- a/drivers/mtd/devices/phram.c
> +++ b/drivers/mtd/devices/phram.c
> @@ -264,16 +264,20 @@ static int phram_setup(const char *val)
> }
> }
>
> - if (erasesize)
> - div_u64_rem(len, (uint32_t)erasesize, &rem);
> -
> if (len == 0 || erasesize == 0 || erasesize > len
> - || erasesize > UINT_MAX || rem) {
> + || erasesize > UINT_MAX) {
> parse_err("illegal erasesize or len\n");
> ret = -EINVAL;
> goto error;
> }
>
> + div_u64_rem(len, (uint32_t)erasesize, &rem);
> + if (rem) {
> + parse_err("len is not multiple of erasesize\n");
> + ret = -EINVAL;
> + goto error;
> + }
> +
> ret = register_device(name, start, len, (uint32_t)erasesize);
> if (ret)
> goto error;
Thanks,
Miquèl
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2022-01-21 11:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-21 5:38 [PATCH] mtd: phram: Prevent divide by zero bug in phram_setup() Dan Carpenter
2022-01-21 11:17 ` Miquel Raynal [this message]
2022-01-21 11:51 ` Dan Carpenter
2022-01-22 2:43 ` yangerkun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220121121748.24e98015@xps13 \
--to=miquel.raynal@bootlin.com \
--cc=dan.carpenter@oracle.com \
--cc=joern@lazybastard.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=richard@nod.at \
--cc=vigneshr@ti.com \
--cc=yangerkun@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).