| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Aug 2019 17:55:54 +0000
From: Dragan Cvetic <draganc@...inx.com>
To: Dan Carpenter <dan.carpenter@...cle.com>,
Derek Kiernan <dkiernan@...inx.com>
CC: Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michal Simek <michals@...inx.com>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: RE: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in
xsdfec_table_write()
Hi Dan,
> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@...cle.com]
> Sent: Wednesday 21 August 2019 08:11
> To: Derek Kiernan <dkiernan@...inx.com>; Dragan Cvetic <draganc@...inx.com>
> Cc: Arnd Bergmann <arnd@...db.de>; Greg Kroah-Hartman <gregkh@...uxfoundation.org>; Michal Simek <michals@...inx.com>;
> linux-arm-kernel@...ts.infradead.org; linux-kernel@...r.kernel.org; kernel-janitors@...r.kernel.org
> Subject: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write()
>
> The checking here needs to handle integer overflows because "offset" and
> "len" come from the user.
Good catch, thanks.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
> drivers/misc/xilinx_sdfec.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 3fc53d20abf3..0bf3bcc8e1ef 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset,
> * Writes that go beyond the length of
> * Shared Scale(SC) table should fail
> */
> - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) {
> + if (offset > depth / XSDFEC_REG_WIDTH_JUMP ||
> + len > depth / XSDFEC_REG_WIDTH_JUMP ||
> + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) {
> dev_dbg(xsdfec->dev, "Write exceeds SC table length");
> return -EINVAL;
> }
> --
> 2.20.1
Reviewed-by: Dragan Cvetic <dragan.cvetic@...inx.com>
Thanks
Dragan
Powered by blists - more mailing lists