Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a5eb2188 authored by Tim Sell's avatar Tim Sell Committed by Greg Kroah-Hartman
Browse files

staging: unisys: visorbus: address theoretical int overflows 



Add necessary casting to several places where we were doing 32-bit
arithmetic (unsigned) to produce a 64-bit (unsigned long) result, to
prevent the theoretical possibility of a 32-bit overflow during the
arithmetic.

FYI, these are unsigned long:

	ctx->param_bytes
	ctx->allocbytes

These are unsigned int:

	bytes
	phdr->name_offset
	phdr->name_length

Here is the test program demonstrating why we really need the casts:

void main()
{
	unsigned int i;
	unsigned long il;

	printf("sizeof(int) =%dn",sizeof(i));
	printf("sizeof(long)=%dn",sizeof(il));

	i = (unsigned int)((((unsigned long)(1)) << 32) - 1);
	printf("i                     = %un", i);
	il = i+1;
	printf("adding 1 withOUT cast = %lun", il);
	il = (unsigned long)i+1;
	printf("adding 1 WITH    cast = %lun", il);
}
[selltc@mac tmp]$ gcc x.c -o x.out
[selltc@mac tmp]$ ./x.out
sizeof(int) =4
sizeof(long)=8
i                     = 4294967295
adding 1 withOUT cast = 0
adding 1 WITH    cast = 4294967296

Signed-off-by: default avatarTim Sell <Timothy.Sell@unisys.com>
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid Kershner <david.kershner@unisys.com>
Reviewed-by: default avatarDavid Binder <david.binder@unisys.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 1c0c275b

drivers/staging/unisys/visorbus/visorchipset.c

+4 −3
Original line number Diff line number Diff line
@@ -581,7 +581,8 @@ static void *parser_name_get(struct parser_context *ctx) 
	struct visor_controlvm_parameters_header *phdr;



	phdr = &ctx->data;

	if (phdr->name_offset + phdr->name_length > ctx->param_bytes)

	if ((unsigned long)phdr->name_offset +

	    (unsigned long)phdr->name_length > ctx->param_bytes)

		return NULL;

	ctx->curr = (char *)&phdr + phdr->name_offset;

	ctx->bytes_remaining = phdr->name_length;
@@ -1308,13 +1309,13 @@ static void parser_done(struct parser_context *ctx) 
static struct parser_context *parser_init_stream(u64 addr, u32 bytes,

						 bool *retry)

{

	int allocbytes;

	unsigned long allocbytes;

	struct parser_context *ctx;

	void *mapping;



	*retry = false;

	/* alloc an extra byte to ensure payload is \0 terminated */

	allocbytes = bytes + 1 + (sizeof(struct parser_context) -

	allocbytes = (unsigned long)bytes + 1 + (sizeof(struct parser_context) -

		     sizeof(struct visor_controlvm_parameters_header));

	if ((chipset_dev->controlvm_payload_bytes_buffered + bytes) >

	     MAX_CONTROLVM_PAYLOAD_BYTES) {