Received: by 10.223.185.116 with SMTP id b49csp4196287wrg; Mon, 26 Feb 2018 13:00:41 -0800 (PST) X-Google-Smtp-Source: AH8x226SZJEZ6AjE+Asp0oBJqkFFKzMjujtMKTOXIhzISVRAPH46G/hd04fiMR56pgNhEYqrsQCy X-Received: by 10.101.91.78 with SMTP id y14mr9488560pgr.243.1519678840976; Mon, 26 Feb 2018 13:00:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519678840; cv=none; d=google.com; s=arc-20160816; b=JNTBlpYlPNioISjkz33odqKYk0V19allPqew+XsiHDgf9Xc+VMi/TLhw4wCaZXZUsh uXI79y/tlzNqdx43T3hvt7Y7gWCiOsZUiN2IhNeGY47ehGM/Zlvc1Lii9RQKfKXSW4Tq gZdOD3842j/kRMiamHun+PmkkK1/9oLb8ANC8tSXkQDTfNehaNRSMLC2xSGbWrVEVhKK 9efYH2mrJ+rdpRTlj9Sy3lbt4ZxT9gYOg3zbwLr+7/BBZURJDS4VRefykQjc84jDBNk8 fXS36xKeVFJ3RBeaGdcZ1ceE0Xh9FVRBsKdIra+ZcNrUHy+GBo8jD44yJxffg2m0gfo3 cYRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=PPcCaKhpyhi2+nE/5Bhq8iCkcZvj0JM30xX6vYRsYZc=; b=UaIh8Kt6U2dJJ7v6jebEwUnwU2vu30g0cFEZTPu2rqE9h6qWaKOJDifQI0r5hoKvwJ h60DnpwGBmsBQ22KTPDevH0Uc564FQPT0vDIJNn6awWvHmcHtUE7La6LdigJnAUJY6jz mJuzBAxTdMOK4VU/Mg7Fqv5eNlW3aMKSbP2fkrmG6GumeMdmy/RvHtODMIMQslrhOrjL UYxS7xxhiSjtSEXeLmL1FCzPoAJjGdb8Z+Rli8yeW6F4subqfLH9CnveEtseccKL/2sq JB44k/BB4kiYmdWtsdiYRr71Pxvmc1yqzF+ZlAj/crxlBcPB6x4gcrjFQxMQrxycVUdb isbg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m4si5976561pgc.351.2018.02.26.13.00.24; Mon, 26 Feb 2018 13:00:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752482AbeBZUWZ (ORCPT + 99 others); Mon, 26 Feb 2018 15:22:25 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:34080 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752104AbeBZUWX (ORCPT ); Mon, 26 Feb 2018 15:22:23 -0500 Received: from localhost (clnet-b04-243.ikbnet.co.at [83.175.124.243]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 320BFEA7; Mon, 26 Feb 2018 20:22:22 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Dan Williams Subject: [PATCH 4.9 31/39] libnvdimm: fix integer overflow static analysis warning Date: Mon, 26 Feb 2018 21:20:52 +0100 Message-Id: <20180226201645.039001170@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180226201643.660109883@linuxfoundation.org> References: <20180226201643.660109883@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Williams commit 58738c495e15badd2015e19ff41f1f1ed55200bc upstream. Dan reports: The patch 62232e45f4a2: "libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices" from Jun 8, 2015, leads to the following static checker warning: drivers/nvdimm/bus.c:1018 __nd_ioctl() warn: integer overflows 'buf_len' From a casual review, this seems like it might be a real bug. On the first iteration we load some data into in_env[]. On the second iteration we read a use controlled "in_size" from nd_cmd_in_size(). It can go up to UINT_MAX - 1. A high number means we will fill the whole in_env[] buffer. But we potentially keep looping and adding more to in_len so now it can be any value. It simple enough to change, but it feels weird that we keep looping even though in_env is totally full. Shouldn't we just return an error if we don't have space for desc->in_num. We keep looping because the size of the total input is allowed to be bigger than the 'envelope' which is a subset of the payload that tells us how much data to expect. For safety explicitly check that buf_len does not overflow which is what the checker flagged. Cc: Fixes: 62232e45f4a2: "libnvdimm: control (ioctl) messages for nvdimm_bus..." Reported-by: Dan Carpenter Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman --- drivers/nvdimm/bus.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -812,16 +812,17 @@ static int __nd_ioctl(struct nvdimm_bus int read_only, unsigned int ioctl_cmd, unsigned long arg) { struct nvdimm_bus_descriptor *nd_desc = nvdimm_bus->nd_desc; - size_t buf_len = 0, in_len = 0, out_len = 0; static char out_env[ND_CMD_MAX_ENVELOPE]; static char in_env[ND_CMD_MAX_ENVELOPE]; const struct nd_cmd_desc *desc = NULL; unsigned int cmd = _IOC_NR(ioctl_cmd); void __user *p = (void __user *) arg; struct device *dev = &nvdimm_bus->dev; - struct nd_cmd_pkg pkg; const char *cmd_name, *dimm_name; + u32 in_len = 0, out_len = 0; unsigned long cmd_mask; + struct nd_cmd_pkg pkg; + u64 buf_len = 0; void *buf; int rc, i; @@ -882,7 +883,7 @@ static int __nd_ioctl(struct nvdimm_bus } if (cmd == ND_CMD_CALL) { - dev_dbg(dev, "%s:%s, idx: %llu, in: %zu, out: %zu, len %zu\n", + dev_dbg(dev, "%s:%s, idx: %llu, in: %u, out: %u, len %llu\n", __func__, dimm_name, pkg.nd_command, in_len, out_len, buf_len); @@ -912,9 +913,9 @@ static int __nd_ioctl(struct nvdimm_bus out_len += out_size; } - buf_len = out_len + in_len; + buf_len = (u64) out_len + (u64) in_len; if (buf_len > ND_IOCTL_MAX_BUFLEN) { - dev_dbg(dev, "%s:%s cmd: %s buf_len: %zu > %d\n", __func__, + dev_dbg(dev, "%s:%s cmd: %s buf_len: %llu > %d\n", __func__, dimm_name, cmd_name, buf_len, ND_IOCTL_MAX_BUFLEN); return -EINVAL;