2023-11-23 10:08:29

by Anastasia Belova

[permalink] [raw]
Subject: [PATCH] qnx4: add upcasting to avoid overflow

To avoid possible integer overflow in qnx4_statfs
cast literal to unsigned long. Otherwise multiplication
of two u32 may give a value that is outside of the range.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Anastasia Belova <[email protected]>
---
fs/qnx4/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/qnx4/inode.c b/fs/qnx4/inode.c
index 6eb9bb369b57..4be8dba60567 100644
--- a/fs/qnx4/inode.c
+++ b/fs/qnx4/inode.c
@@ -133,7 +133,7 @@ static int qnx4_statfs(struct dentry *dentry, struct kstatfs *buf)

buf->f_type = sb->s_magic;
buf->f_bsize = sb->s_blocksize;
- buf->f_blocks = le32_to_cpu(qnx4_sb(sb)->BitMap->di_size) * 8;
+ buf->f_blocks = le32_to_cpu(qnx4_sb(sb)->BitMap->di_size) * 8ul;
buf->f_bfree = qnx4_count_free_blocks(sb);
buf->f_bavail = buf->f_bfree;
buf->f_namelen = QNX4_NAME_MAX;
--
2.30.2


2024-02-01 12:08:11

by Anastasia Belova

[permalink] [raw]
Subject: Re: [PATCH] qnx4: add upcasting to avoid overflow

Just a friendly reminder.

23/11/23 13:06, Anastasia Belova пишет:
> To avoid possible integer overflow in qnx4_statfs
> cast literal to unsigned long. Otherwise multiplication
> of two u32 may give a value that is outside of the range.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Anastasia Belova <[email protected]>
> ---
> fs/qnx4/inode.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/qnx4/inode.c b/fs/qnx4/inode.c
> index 6eb9bb369b57..4be8dba60567 100644
> --- a/fs/qnx4/inode.c
> +++ b/fs/qnx4/inode.c
> @@ -133,7 +133,7 @@ static int qnx4_statfs(struct dentry *dentry, struct kstatfs *buf)
>
> buf->f_type = sb->s_magic;
> buf->f_bsize = sb->s_blocksize;
> - buf->f_blocks = le32_to_cpu(qnx4_sb(sb)->BitMap->di_size) * 8;
> + buf->f_blocks = le32_to_cpu(qnx4_sb(sb)->BitMap->di_size) * 8ul;
> buf->f_bfree = qnx4_count_free_blocks(sb);
> buf->f_bavail = buf->f_bfree;
> buf->f_namelen = QNX4_NAME_MAX;