Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933771AbeALNpi (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Fri, 12 Jan 2018 08:45:38 -0500
Received: from mail-db5eur01on0064.outbound.protection.outlook.com ([104.47.2.64]:14982
        "EHLO EUR01-DB5-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S933478AbeALNpd (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 12 Jan 2018 08:45:33 -0500
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=ed.blake@sondrel.com; 
From: Ed Blake <ed.blake@sondrel.com>
To: gregkh@linuxfoundation.org, nunojpg@gmail.com
Cc: linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org,
        Ed Blake <ed.blake@sondrel.com>
Subject: [PATCH] serial: 8250_dw: Avoid overflow in dw8250_set_termios
Date: Fri, 12 Jan 2018 13:45:07 +0000
Message-Id: <20180112134507.9030-1-ed.blake@sondrel.com>
X-Mailer: git-send-email 2.11.0
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [195.88.9.101]
X-ClientProxiedBy: VI1PR0601CA0030.eurprd06.prod.outlook.com
 (2603:10a6:800:1e::40) To HE1P191MB0156.EURP191.PROD.OUTLOOK.COM
 (2603:10a6:3:c6::22)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4172133b-e3b1-470c-cf18-08d559c2be98
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020082)(4652020)(5600026)(4604075)(2017052603307)(7153060)(7193020);SRVR:HE1P191MB0156;
X-Microsoft-Exchange-Diagnostics: 1;HE1P191MB0156;3:21P0qp7xfmO8BD3KyTNPpUxJYcpmxNI+UabZMj2DOR/z6tYOBDy3C73sO5KNRPGdPAPsrejDjZzQWyPD9WgHXOZSsvwgCWqmc2XBtsRmAvnvd1jxNjBXIw0ldmkX0Df4eEdV08ra9yXBJ3DIBBXHH2qDfEc5QANikVlcPen4TRMmFHr+SVAOAXxfYZl/cjVUuW6o7m3U21zPNp17GK+bR9fq3SUIN01KwEMBOEWJrvTfcPi+zr4Tqz0gboxXHtYD;25:rUcrC/o2YMynARM/gi2XOFjhk+ynw8aaA/IwEfecydzRCf2Z9ZhOo52vRZ49W+s5JfiN//hvFTjKEnBBSnoZexdZTaJMXXgWjaD0wJ2IffxnJZyXq5qlDTVQYm0ljSRXKJkdU09gYtwMsZ9brGOdlHkDF5w2KIQQh0pPZnX2+nyDA4eExNi0443foNqb8o3EEVZpFygrDse+cepI6H9y3e4wBZMASQPJM6zFanZKITttKQL7BHjqr/pjHzSnaNL6r4a4wdeabw+b7HY8Rp6HV4hvsa0GjE8L/vM/afedDbK9vQCkBdrjbcBai6SOUNL2aSumIc+VCQOT6Xu9p/fWXQ==;31:pC6BZvzwyXns+YNLBFfHBMprSd6vv8Rms1ZwkhvyOlrT1j6Kh5sJk64WlotVbrJkimrj/JNlVeZu3DdkP5QVJJX/MUKbETWsTDw+ILiSrxy1bNunvcKJDOul+9C21/egWbhGiOaZB4xxnRt7lGvHHNxbM4HLKGAe9C+PDETOvi75Z47vynBjUWI4FyLtEqMKNnOHx8SYd7pfVElUV0HUeXDzYg32ORdGWms02mnkBl8=
X-MS-TrafficTypeDiagnostic: HE1P191MB0156:
X-Microsoft-Exchange-Diagnostics: 1;HE1P191MB0156;20:E4QxzKcRRLWUJEHzFzkc7VzoHJ7GtwLmyhH50eCc6xVTi3gPHS/nBgfuMZPhqKI0adAG95Wj0hxgqz/kOH2mpEFtQATqfxEyRwzp1pB3oj52UlODs5iRKLTiGgJhc+wyoWPHw+yHyOpa2nH06oe+v0629mTXNXLoVh8xuX/XDDIgs71YGiPBat+ogOcyIJNGZE9eWqJBO5OrxRH9palvy2eAKkVBRdaVTvLjlwvTDFc7hHTSOgEruhiasYomf1a7/6eAPoaN64m+KTftmRnAfx7Y6w7QWrXe2uF7VaWP6RZZs9wqxPr2ypxEWf9f68tI7WYwtQCP/+uygqk2RXNzvQ==;4:55IngpmBz6F6NQ0rtvoLNWzc6kjicfrO/xDezflfyoOOBnfbLjkU+QYyWfffBhO+XPk0u0ov6Ia79R1PW1tcDsM4VcHcrg3Qe9Zb5FgDTWKEI1C/Gf4+vRxnfqniQ9k8UEG7bo720dnqB+s3rtg6ALg/4vngK6Tg8jlj8MOCSFG/ixNde3m7lvDYxX2XQ7Hb91wqTcVIiYKusahIDEAbnQQWaEBbpumG3aldcbvw1Q7A2epfV0sjZ3uoa22oPRBs1y+2St1PFTHb6n0YNgjTwuBSZiji8+aLy1N4mZm4v5F5cxDvqNpFdnw+HijsqfQL
X-Microsoft-Antispam-PRVS: <HE1P191MB015640CB660848324B457B9B96170@HE1P191MB0156.EURP191.PROD.OUTLOOK.COM>
X-Exchange-Antispam-Report-Test: UriScan:(85827821059158);
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040470)(2401047)(8121501046)(5005006)(3231023)(944501144)(3002001)(93006095)(93001095)(10201501046)(6041268)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011);SRVR:HE1P191MB0156;BCL:0;PCL:0;RULEID:(100000803101)(100110400095);SRVR:HE1P191MB0156;
X-Forefront-PRVS: 0550778858
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(396003)(39840400004)(39380400002)(366004)(376002)(346002)(189003)(199004)(8676002)(53936002)(81156014)(2906002)(5660300001)(97736004)(3846002)(6116002)(1076002)(47776003)(66066001)(305945005)(8936002)(36756003)(7736002)(81166006)(86362001)(6666003)(16586007)(15760500003)(7696005)(6486002)(50466002)(575784001)(48376002)(68736007)(69596002)(386003)(16526018)(53416004)(105586002)(478600001)(39060400002)(52116002)(51416003)(25786009)(316002)(50226002)(107886003)(106356001)(4326008);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1P191MB0156;H:blake-linux.sondrel.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;HE1P191MB0156;23:BNls5vQfXs2dRw9Ns230DtC9wACq6+ekOX7NwaS7b?=
 =?us-ascii?Q?96VP8eaFlxA93ja6wDFFGR8pUNGXj2WZ0KxFEqc9BTwTGx//TMUdxSHlauw5?=
 =?us-ascii?Q?tPQfbsko8SNCjMUL2vYfGTUWjVrRza9j8wFZBeX8bNTJuXt7iOIQZ2doAhgT?=
 =?us-ascii?Q?OER3IKFuisR717yM/E7LVAzmN+9dONBIZnkwvJzqjvJFt5x8dor8A4hyFn/J?=
 =?us-ascii?Q?sz2L8RWm4UmKziE3+tpopXz9KCA1O5JkYHpDLJabEUJ9djn3saZqBN0yeMCc?=
 =?us-ascii?Q?dBQ7jc2sP4XF+DLwJJWDreJapiy1igZgUC3o3xnAWy27FQSEqrCGBN6OI8og?=
 =?us-ascii?Q?Y/4Lr7CUlGxvnQgYY5EoDHFgQBetqtI6G/Ue1NxvB5P4HX3AREBm60Oy7XvN?=
 =?us-ascii?Q?5k0UCN+RPScHEKKGUIvDH2kIX70kP6uGmi6j3AnadR9KwD7sLaWcJC/cEAa4?=
 =?us-ascii?Q?td4yXU7QgeT5KJO7qKCzcZBblCJ+El3ashzsDKNHdfmJ/Mi7LctA5ATWENVg?=
 =?us-ascii?Q?4cJMLMkRKc2Fjx3IRU6sq8BFAou0pZcpPuB/W9mNDBb7un7tJ1pzcRyLXXiq?=
 =?us-ascii?Q?4A9N6ZB4cCrf2lafqPpMrdTIXPb0UGUT4PRQ5PvnG4zqS7GXfrq7douNggIM?=
 =?us-ascii?Q?IczmD+fkTFX1y6bzQ3TOfmKMj1yEHv5yFlkZCQTALalVPR7PJWLH5csHgda0?=
 =?us-ascii?Q?2DgGTBfjQqXlQeTmSmXL4NqEVQi0rVUJIM7chqMpCglbB+jonTsUv1FRCqmv?=
 =?us-ascii?Q?7XKU50SpNI3SyCcgH4U0yFFQ9G8hvad5ZZt0rKsy1rAnVRWLI5rdkdzz9n5b?=
 =?us-ascii?Q?2q4M6HF9xmkHh95AZyUnhLjuT+5+hOt7EZqptrl8CZrLm6xYZxGVS98p272T?=
 =?us-ascii?Q?wBQNUuItRP8fJywwTnTaVG/vXpqqbpfg/YaiLCUx6PPGXXBSUulljyzjfmiw?=
 =?us-ascii?Q?glh10JOjeeXDwOUikv8P3AD/eLVR1qF04Ji2mNbpdRvfYwGz682gBgu/TaJa?=
 =?us-ascii?Q?EV2AiTuAv+mhyW/gGCLz1G8GY1dKrNdpandAAvQKn2TAKsCzi2WM+3YKP8tr?=
 =?us-ascii?Q?9simVNMjDPTXIgzuGSEhqIVd1lK/so6MK6A6q1X56/ecc849U+p8qb+5uRJX?=
 =?us-ascii?Q?QUlDiAYZQnXgLCzBPQGjXgc/DWI7jEQ?=
X-Microsoft-Exchange-Diagnostics: 1;HE1P191MB0156;6:QxKxMeOdOGGkNo/VyOKnsa6J3EQEMRZy9Qs+6l98CnwizJpIpDm2PNJNMMcYY9iEck4Y0Klo/GHlhHGklNUFDKeR/rrC3+8v6GjhE8OF2sHnFk/tG1j7ogvvScnMF+8QhuwzynAVgeBzFwjLilcSEHk525jUPlHFlEzLXgctxWBdYN6/pbe2xnFeqo5vwvKzgwNQG7RqvkDZpOVquiEwY10MGp8591rEWzs5BUxn8o+22Y48m7ucASjT0G5SjlVhgRDlcGKYMlpK2Thv712k+oc6Yftao2m6JHCoY8F/g1RZB291NQbL+hhq30ZsmDDCfCby8FNKi1w3Q7I7QM14/ZhPIoN9QZFkle2Y+db5bEw=;5:+SN+/X5oUbe8VBQc3ceJGuSjjOWfXllW0mgqdsSZ4d4FWGb4NBb3zGvwtwerX+yqHZBE+YbFcr1WUDevPav46Y5aJeBjs73PRY6AfZO/iU3AY3Sf7hJpCHRrxtg7RHCHPOqJht0ZMzSj9584lawoR6cbWf0nnZPHref/oIdMtac=;24:WXGNSCh6CoCQBkLFoBQhaeof/VdLpYRab4XSY1LVU9OyCN392VHFfbE+YrdzGvrvM44Tn5bgv7S1hku1Ie1vom5H3d8diSkKmgMNi9BX9XY=;7:0FGj7VVxi5PnPZ9ch+2BUdepU5XKMoUfkJ09fQnkxkYWs7Pqtyq8Mfn1nIVwSdKwJdOFMK0GWFutCz82gt47QYpATG9seq7AAmPhTNz7be88aP32AF7UFVzabrIN28N1Przlo4tul1DicQ3OASRPnQvgskt7LN/EEI/pNdiAThcXjXP9DnIwZAv94MKccKtqdd3Hlz7eX+9jy52yNkpobU8JN1RJwQtXT4DU0JU/JzymnALH7CU7ScMFD7wNaO6W
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: sondrel.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jan 2018 13:45:29.3849 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4172133b-e3b1-470c-cf18-08d559c2be98
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4faa3872-698e-4896-80ec-148b916cb1ba
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P191MB0156
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

When searching for an achievable input clock rate that is within
+/-1.6% of an integer multiple of the target baudx16 rate, there is the
potential to overflow the i * rate calculations.

For example, on a 32-bit system with a baud rate of 4000000, the
i * max_rate calculation will overflow if i reaches 67 without finding
an acceptable rate.

Fix this by setting the upper boundary of the loop appropriately to
avoid overflow.

Reported-by: Nuno Goncalves <nunojpg@gmail.com>
Signed-off-by: Ed Blake <ed.blake@sondrel.com>
---
 drivers/tty/serial/8250/8250_dw.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
index 5bb0c42c88dd..04b44829f0e3 100644
--- a/drivers/tty/serial/8250/8250_dw.c
+++ b/drivers/tty/serial/8250/8250_dw.c
@@ -252,7 +252,7 @@ static void dw8250_set_termios(struct uart_port *p, struct ktermios *termios,
 			       struct ktermios *old)
 {
 	unsigned int baud = tty_termios_baud_rate(termios);
-	unsigned int target_rate, min_rate, max_rate;
+	unsigned int target_rate, min_rate, max_rate, div_max;
 	struct dw8250_data *d = p->private_data;
 	long rate;
 	int i, ret;
@@ -265,12 +265,14 @@ static void dw8250_set_termios(struct uart_port *p, struct ktermios *termios,
 	min_rate = target_rate - (target_rate >> 6);
 	max_rate = target_rate + (target_rate >> 6);
 
-	for (i = 1; i <= UART_DIV_MAX; i++) {
+	/* Avoid overflow */
+	div_max = min(UINT_MAX / max_rate, (unsigned int)UART_DIV_MAX);
+	for (i = 1; i <= div_max; i++) {
 		rate = clk_round_rate(d->clk, i * target_rate);
 		if (rate >= i * min_rate && rate <= i * max_rate)
 			break;
 	}
-	if (i <= UART_DIV_MAX) {
+	if (i <= div_max) {
 		clk_disable_unprepare(d->clk);
 		ret = clk_set_rate(d->clk, rate);
 		clk_prepare_enable(d->clk);
-- 
2.11.0