From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Chenyuan Mi <michenyuan@huawei.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Sasha Levin <sashal@kernel.org>,
jic23@kernel.org, linux-iio@vger.kernel.org
Subject: [PATCH AUTOSEL 6.5 15/28] tools: iio: iio_generic_buffer: Fix some integer type and calculation
Date: Fri, 8 Sep 2023 20:35:49 -0400 [thread overview]
Message-ID: <20230909003604.3579407-15-sashal@kernel.org> (raw)
In-Reply-To: <20230909003604.3579407-1-sashal@kernel.org>
From: Chenyuan Mi <michenyuan@huawei.com>
[ Upstream commit 49d736313d0975ddeb156f4f59801da833f78b30 ]
In function size_from_channelarray(), the return value 'bytes' is defined
as int type. However, the calcution of 'bytes' in this function is designed
to use the unsigned int type. So it is necessary to change 'bytes' type to
unsigned int to avoid integer overflow.
The size_from_channelarray() is called in main() function, its return value
is directly multipled by 'buf_len' and then used as the malloc() parameter.
The 'buf_len' is completely controllable by user, thus a multiplication
overflow may occur here. This could allocate an unexpected small area.
Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
Link: https://lore.kernel.org/r/20230725092407.62545-1-michenyuan@huawei.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/iio/iio_generic_buffer.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/tools/iio/iio_generic_buffer.c b/tools/iio/iio_generic_buffer.c
index f8deae4e26a15..44bbf80f0cfdd 100644
--- a/tools/iio/iio_generic_buffer.c
+++ b/tools/iio/iio_generic_buffer.c
@@ -51,9 +51,9 @@ enum autochan {
* Has the side effect of filling the channels[i].location values used
* in processing the buffer output.
**/
-static int size_from_channelarray(struct iio_channel_info *channels, int num_channels)
+static unsigned int size_from_channelarray(struct iio_channel_info *channels, int num_channels)
{
- int bytes = 0;
+ unsigned int bytes = 0;
int i = 0;
while (i < num_channels) {
@@ -348,7 +348,7 @@ int main(int argc, char **argv)
ssize_t read_size;
int dev_num = -1, trig_num = -1;
char *buffer_access = NULL;
- int scan_size;
+ unsigned int scan_size;
int noevents = 0;
int notrigger = 0;
char *dummy;
@@ -674,7 +674,16 @@ int main(int argc, char **argv)
}
scan_size = size_from_channelarray(channels, num_channels);
- data = malloc(scan_size * buf_len);
+
+ size_t total_buf_len = scan_size * buf_len;
+
+ if (scan_size > 0 && total_buf_len / scan_size != buf_len) {
+ ret = -EFAULT;
+ perror("Integer overflow happened when calculate scan_size * buf_len");
+ goto error;
+ }
+
+ data = malloc(total_buf_len);
if (!data) {
ret = -ENOMEM;
goto error;
--
2.40.1
next prev parent reply other threads:[~2023-09-09 0:37 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-09 0:35 [PATCH AUTOSEL 6.5 01/28] media: mdp3: Fix resource leaks in of_find_device_by_node Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 02/28] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 03/28] media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 04/28] media: af9005: Fix null-ptr-deref in af9005_i2c_xfer Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 05/28] media: anysee: fix null-ptr-deref in anysee_master_xfer Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 06/28] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 07/28] media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 08/28] iio: core: Use min() instead of min_t() to make code more robust Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 09/28] scsi: lpfc: Abort outstanding ELS cmds when mailbox timeout error is detected Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 10/28] media: tuners: qt1010: replace BUG_ON with a regular error Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 11/28] media: pci: cx23885: replace BUG with error return Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 12/28] usb: cdns3: Put the cdns set active part outside the spin lock Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 13/28] usb: typec: intel_pmc_mux: Add new ACPI ID for Lunar Lake IOM device Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 14/28] usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc Sasha Levin
2023-09-09 0:35 ` Sasha Levin [this message]
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 16/28] scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 17/28] serial: cpm_uart: Avoid suspicious locking Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 18/28] misc: open-dice: make OPEN_DICE depend on HAS_IOMEM Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 19/28] workqueue: Call wq_update_unbound_numa() on all CPUs in NUMA node on CPU hotplug Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 20/28] usb: dwc3: dwc3-octeon: Verify clock divider Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 21/28] usb: ehci: add workaround for chipidea PORTSC.PEC bug Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 22/28] usb: chipidea: add workaround for chipidea PEC bug Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 23/28] media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 24/28] kobject: Add sanity check for kset->kobj.ktype in kset_register() Sasha Levin
2023-09-09 0:35 ` [PATCH AUTOSEL 6.5 25/28] interconnect: Fix locking for runpm vs reclaim Sasha Levin
2023-09-09 0:36 ` [PATCH AUTOSEL 6.5 26/28] usb: cdc-acm: move ldisc dcd notification outside of acm's read lock Sasha Levin
2023-09-09 0:36 ` [PATCH AUTOSEL 6.5 27/28] usb: typec: qcom-pmic-typec: register drm_bridge Sasha Levin
2023-09-09 0:36 ` [PATCH AUTOSEL 6.5 28/28] riscv: Add CFI error handling Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230909003604.3579407-15-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michenyuan@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox