lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1510939659-15039-2-git-send-email-david.kershner@unisys.com>
Date:   Fri, 17 Nov 2017 12:27:38 -0500
From:   David Kershner <david.kershner@...sys.com>
To:     <david.kershner@...sys.com>, <gregkh@...uxfoundation.org>,
        <jes.sorensen@...il.com>, <linux-kernel@...r.kernel.org>,
        <driverdev-devel@...uxdriverproject.org>,
        <sparmaintainer@...sys.com>, <erik.arfvidson@...il.com>,
        <wadgaonkarsam@...il.com>
CC:     Tim Sell <Timothy.Sell@...sys.com>
Subject: [PATCH 1/2] staging: unisys: visorbus: address theoretical int overflows

From: Tim Sell <Timothy.Sell@...sys.com>

Add necessary casting to several places where we were doing 32-bit
arithmetic (unsigned) to produce a 64-bit (unsigned long) result, to
prevent the theoretical possibility of a 32-bit overflow during the
arithmetic.

FYI, these are unsigned long:

	ctx->param_bytes
	ctx->allocbytes

These are unsigned int:

	bytes
	phdr->name_offset
	phdr->name_length

Here is the test program demonstrating why we really need the casts:

void main()
{
	unsigned int i;
	unsigned long il;

	printf("sizeof(int) =%dn",sizeof(i));
	printf("sizeof(long)=%dn",sizeof(il));

	i = (unsigned int)((((unsigned long)(1)) << 32) - 1);
	printf("i                     = %un", i);
	il = i+1;
	printf("adding 1 withOUT cast = %lun", il);
	il = (unsigned long)i+1;
	printf("adding 1 WITH    cast = %lun", il);
}
[selltc@mac tmp]$ gcc x.c -o x.out
[selltc@mac tmp]$ ./x.out
sizeof(int) =4
sizeof(long)=8
i                     = 4294967295
adding 1 withOUT cast = 0
adding 1 WITH    cast = 4294967296

Signed-off-by: Tim Sell <Timothy.Sell@...sys.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
Signed-off-by: David Kershner <david.kershner@...sys.com>
Reviewed-by: David Binder <david.binder@...sys.com>
---
 drivers/staging/unisys/visorbus/visorchipset.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/unisys/visorbus/visorchipset.c b/drivers/staging/unisys/visorbus/visorchipset.c
index fed554a4..ef2823a 100644
--- a/drivers/staging/unisys/visorbus/visorchipset.c
+++ b/drivers/staging/unisys/visorbus/visorchipset.c
@@ -590,7 +590,8 @@ static void *parser_name_get(struct parser_context *ctx)
 	struct visor_controlvm_parameters_header *phdr;
 
 	phdr = &ctx->data;
-	if (phdr->name_offset + phdr->name_length > ctx->param_bytes)
+	if ((unsigned long)phdr->name_offset +
+	    (unsigned long)phdr->name_length > ctx->param_bytes)
 		return NULL;
 	ctx->curr = (char *)&phdr + phdr->name_offset;
 	ctx->bytes_remaining = phdr->name_length;
@@ -1317,13 +1318,13 @@ static void parser_done(struct parser_context *ctx)
 static struct parser_context *parser_init_stream(u64 addr, u32 bytes,
 						 bool *retry)
 {
-	int allocbytes;
+	unsigned long allocbytes;
 	struct parser_context *ctx;
 	void *mapping;
 
 	*retry = false;
 	/* alloc an extra byte to ensure payload is \0 terminated */
-	allocbytes = bytes + 1 + (sizeof(struct parser_context) -
+	allocbytes = (unsigned long)bytes + 1 + (sizeof(struct parser_context) -
 		     sizeof(struct visor_controlvm_parameters_header));
 	if ((chipset_dev->controlvm_payload_bytes_buffered + bytes) >
 	     MAX_CONTROLVM_PAYLOAD_BYTES) {
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ