* [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
@ 2024-12-12 17:13 Anton Moryakov
2024-12-13 2:29 ` Zhihao Cheng
0 siblings, 1 reply; 9+ messages in thread
From: Anton Moryakov @ 2024-12-12 17:13 UTC (permalink / raw)
To: chengzhihao1, linux-mtd; +Cc: Anton Moryakov
Report of the static analyzer:
The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
because its operands are not cast to a larger data type before performing arithmetic
Corrections explained:
Added casting reginfo->offset to long long
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
---
ubi-utils/mtdinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
index 7dff0de..850297b 100644
--- a/ubi-utils/mtdinfo.c
+++ b/ubi-utils/mtdinfo.c
@@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
ret_locked = ret_bad = errno_locked = errno_bad = 0;
for (i = 0; i < reginfo->numblocks; ++i) {
- start = reginfo->offset + i * reginfo->erasesize;
+ start = (long long)reginfo->offset + i * reginfo->erasesize;
printf(" %*i: %08lx ", width, i, start);
if (ret_locked != -1) {
--
2.30.2
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
@ 2024-12-12 17:29 Anton Moryakov
0 siblings, 0 replies; 9+ messages in thread
From: Anton Moryakov @ 2024-12-12 17:29 UTC (permalink / raw)
To: linux-mtd; +Cc: Anton Moryakov
Report of the static analyzer:
The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
because its operands are not cast to a larger data type before performing arithmetic
Corrections explained:
Added casting reginfo->offset to long long
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
---
ubi-utils/mtdinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
index 7dff0de..850297b 100644
--- a/ubi-utils/mtdinfo.c
+++ b/ubi-utils/mtdinfo.c
@@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
ret_locked = ret_bad = errno_locked = errno_bad = 0;
for (i = 0; i < reginfo->numblocks; ++i) {
- start = reginfo->offset + i * reginfo->erasesize;
+ start = (long long)reginfo->offset + i * reginfo->erasesize;
printf(" %*i: %08lx ", width, i, start);
if (ret_locked != -1) {
--
2.30.2
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
2024-12-12 17:13 Anton Moryakov
@ 2024-12-13 2:29 ` Zhihao Cheng
0 siblings, 0 replies; 9+ messages in thread
From: Zhihao Cheng @ 2024-12-13 2:29 UTC (permalink / raw)
To: Anton Moryakov, linux-mtd
在 2024/12/13 1:13, Anton Moryakov 写道:
> Report of the static analyzer:
> The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
> because its operands are not cast to a larger data type before performing arithmetic
>
> Corrections explained:
> Added casting reginfo->offset to long long
>
> Triggers found by static analyzer Svace.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
>
> ---
> ubi-utils/mtdinfo.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
> index 7dff0de..850297b 100644
> --- a/ubi-utils/mtdinfo.c
> +++ b/ubi-utils/mtdinfo.c
> @@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
> ret_locked = ret_bad = errno_locked = errno_bad = 0;
>
> for (i = 0; i < reginfo->numblocks; ++i) {
> - start = reginfo->offset + i * reginfo->erasesize;
Hi Anton.
I think the expression 'i*reginfo->erasesize' could overflow too.
Besides, 'unsigned long start' could be a 32-bit number on a 32-bit
platform.
So, we should make 'start' be the 'unsigned long long' type, and then
convert 'i' into 'unsigned long long' in expression 'i *
reginfo->erasesize'. For example, start = reginfo->offset + (unsigned
long long)i * reginfo->erasesize.
> + start = (long long)reginfo->offset + i * reginfo->erasesize;
> printf(" %*i: %08lx ", width, i, start);
>
> if (ret_locked != -1) {
>
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
@ 2024-12-13 13:15 Anton Moryakov
2024-12-14 2:56 ` Zhihao Cheng
0 siblings, 1 reply; 9+ messages in thread
From: Anton Moryakov @ 2024-12-13 13:15 UTC (permalink / raw)
To: chengzhihao1, linux-mtd; +Cc: Anton Moryakov
Report of the static analyzer:
The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
because its operands are not cast to a larger data type before performing arithmetic
Corrections explained:
Added casting reginfo->offset to long long
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
---
ubi-utils/mtdinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
index 7dff0de..850297b 100644
--- a/ubi-utils/mtdinfo.c
+++ b/ubi-utils/mtdinfo.c
@@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
ret_locked = ret_bad = errno_locked = errno_bad = 0;
for (i = 0; i < reginfo->numblocks; ++i) {
- start = reginfo->offset + i * reginfo->erasesize;
+ start = reginfo->offset + (unsigned long long)i * reginfo->erasesize;
printf(" %*i: %08lx ", width, i, start);
if (ret_locked != -1) {
--
2.30.2
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
2024-12-13 13:15 [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c Anton Moryakov
@ 2024-12-14 2:56 ` Zhihao Cheng
0 siblings, 0 replies; 9+ messages in thread
From: Zhihao Cheng @ 2024-12-14 2:56 UTC (permalink / raw)
To: Anton Moryakov, linux-mtd
在 2024/12/13 21:15, Anton Moryakov 写道:
> Report of the static analyzer:
> The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
> because its operands are not cast to a larger data type before performing arithmetic
>
> Corrections explained:
> Added casting reginfo->offset to long long
>
> Triggers found by static analyzer Svace.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
>
> ---
> ubi-utils/mtdinfo.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
> index 7dff0de..850297b 100644
> --- a/ubi-utils/mtdinfo.c
> +++ b/ubi-utils/mtdinfo.c
> @@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
> ret_locked = ret_bad = errno_locked = errno_bad = 0;
>
Hi Anton.
Please make 'start' be the 'unsigned long long' type, otherwise type
'unsigned long' could be 32-bit width on a 32-bit platform.
> for (i = 0; i < reginfo->numblocks; ++i) {
> - start = reginfo->offset + i * reginfo->erasesize;
> + start = reginfo->offset + (unsigned long long)i * reginfo->erasesize;
> printf(" %*i: %08lx ", width, i, start);
>
> if (ret_locked != -1) {
>
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
@ 2024-12-14 10:51 Anton Moryakov
2024-12-14 12:19 ` Zhihao Cheng
0 siblings, 1 reply; 9+ messages in thread
From: Anton Moryakov @ 2024-12-14 10:51 UTC (permalink / raw)
To: chengzhihao1, linux-mtd; +Cc: Anton Moryakov
Report of the static analyzer:
The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
because its operands are not cast to a larger data type before performing arithmetic
Corrections explained:
Added casting i and start to unsigned long long
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
---
ubi-utils/mtdinfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
index 7dff0de..850297b 100644
--- a/ubi-utils/mtdinfo.c
+++ b/ubi-utils/mtdinfo.c
@@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
ret_locked = ret_bad = errno_locked = errno_bad = 0;
for (i = 0; i < reginfo->numblocks; ++i) {
- start = reginfo->offset + i * reginfo->erasesize;
+ (unsigned long long)start = reginfo->offset + (unsigned long long)i * reginfo->erasesize;
printf(" %*i: %08lx ", width, i, start);
if (ret_locked != -1) {
--
2.30.2
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
2024-12-14 10:51 Anton Moryakov
@ 2024-12-14 12:19 ` Zhihao Cheng
0 siblings, 0 replies; 9+ messages in thread
From: Zhihao Cheng @ 2024-12-14 12:19 UTC (permalink / raw)
To: Anton Moryakov, linux-mtd
在 2024/12/14 18:51, Anton Moryakov 写道:
> Report of the static analyzer:
> The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
> because its operands are not cast to a larger data type before performing arithmetic
>
> Corrections explained:
> Added casting i and start to unsigned long long
>
> Triggers found by static analyzer Svace.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
>
> ---
> ubi-utils/mtdinfo.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
> index 7dff0de..850297b 100644
> --- a/ubi-utils/mtdinfo.c
> +++ b/ubi-utils/mtdinfo.c
> @@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
> ret_locked = ret_bad = errno_locked = errno_bad = 0;
>
> for (i = 0; i < reginfo->numblocks; ++i) {
> - start = reginfo->offset + i * reginfo->erasesize;
> + (unsigned long long)start = reginfo->offset + (unsigned long long)i * reginfo->erasesize;
> printf(" %*i: %08lx ", width, i, start);
>
> if (ret_locked != -1) {
>
What I mean is modifying like following:
diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
index 7dff0de..12d35eb 100644
--- a/ubi-utils/mtdinfo.c
+++ b/ubi-utils/mtdinfo.c
@@ -185,7 +185,7 @@ static void print_ubi_info(const struct mtd_info
*mtd_info,
static void print_region_map(const struct mtd_dev_info *mtd, int fd,
const region_info_t *reginfo)
{
- unsigned long start;
+ unsigned long long start;
int i, width;
int ret_locked, errno_locked, ret_bad, errno_bad;
@@ -203,7 +203,7 @@ static void print_region_map(const struct
mtd_dev_info *mtd, int fd,
ret_locked = ret_bad = errno_locked = errno_bad = 0;
for (i = 0; i < reginfo->numblocks; ++i) {
- start = reginfo->offset + i * reginfo->erasesize;
+ start = reginfo->offset + (unsigned long long)i *
reginfo->erasesize;
printf(" %*i: %08lx ", width, i, start);
if (ret_locked != -1) {
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
@ 2024-12-14 12:31 Anton Moryakov
2024-12-16 1:08 ` Zhihao Cheng
0 siblings, 1 reply; 9+ messages in thread
From: Anton Moryakov @ 2024-12-14 12:31 UTC (permalink / raw)
To: chengzhihao1, linux-mtd; +Cc: Anton Moryakov
Report of the static analyzer:
The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
because its operands are not cast to a larger data type before performing arithmetic
Corrections explained:
Added casting i and start to unsigned long long
Triggers found by static analyzer Svace.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
---
ubi-utils/mtdinfo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
index 7dff0de..12d35eb 100644
--- a/ubi-utils/mtdinfo.c
+++ b/ubi-utils/mtdinfo.c
@@ -185,7 +185,7 @@ static void print_ubi_info(const struct mtd_info *mtd_info,
static void print_region_map(const struct mtd_dev_info *mtd, int fd,
const region_info_t *reginfo)
{
- unsigned long start;
+ unsigned long long start;
int i, width;
int ret_locked, errno_locked, ret_bad, errno_bad;
@@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
ret_locked = ret_bad = errno_locked = errno_bad = 0;
for (i = 0; i < reginfo->numblocks; ++i) {
- start = reginfo->offset + i * reginfo->erasesize;
+ start = reginfo->offset + (unsigned long long)i * reginfo->erasesize;
printf(" %*i: %08lx ", width, i, start);
if (ret_locked != -1) {
--
2.30.2
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c
2024-12-14 12:31 Anton Moryakov
@ 2024-12-16 1:08 ` Zhihao Cheng
0 siblings, 0 replies; 9+ messages in thread
From: Zhihao Cheng @ 2024-12-16 1:08 UTC (permalink / raw)
To: Anton Moryakov, linux-mtd
在 2024/12/14 20:31, Anton Moryakov 写道:
> Report of the static analyzer:
> The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
> because its operands are not cast to a larger data type before performing arithmetic
>
> Corrections explained:
> Added casting i and start to unsigned long long
>
> Triggers found by static analyzer Svace.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
>
> ---
> ubi-utils/mtdinfo.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
> diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
> index 7dff0de..12d35eb 100644
> --- a/ubi-utils/mtdinfo.c
> +++ b/ubi-utils/mtdinfo.c
> @@ -185,7 +185,7 @@ static void print_ubi_info(const struct mtd_info *mtd_info,
> static void print_region_map(const struct mtd_dev_info *mtd, int fd,
> const region_info_t *reginfo)
> {
> - unsigned long start;
> + unsigned long long start;
> int i, width;
> int ret_locked, errno_locked, ret_bad, errno_bad;
>
> @@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
> ret_locked = ret_bad = errno_locked = errno_bad = 0;
>
> for (i = 0; i < reginfo->numblocks; ++i) {
> - start = reginfo->offset + i * reginfo->erasesize;
> + start = reginfo->offset + (unsigned long long)i * reginfo->erasesize;
> printf(" %*i: %08lx ", width, i, start);
>
> if (ret_locked != -1) {
>
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-12-16 1:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-13 13:15 [PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c Anton Moryakov
2024-12-14 2:56 ` Zhihao Cheng
-- strict thread matches above, loose matches on Subject: below --
2024-12-14 12:31 Anton Moryakov
2024-12-16 1:08 ` Zhihao Cheng
2024-12-14 10:51 Anton Moryakov
2024-12-14 12:19 ` Zhihao Cheng
2024-12-12 17:29 Anton Moryakov
2024-12-12 17:13 Anton Moryakov
2024-12-13 2:29 ` Zhihao Cheng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox