| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200831203811.8494-8-nicoleotsuka@gmail.com>
Date: Mon, 31 Aug 2020 13:38:11 -0700
From: Nicolin Chen <nicoleotsuka@...il.com>
To: mpe@...erman.id.au, benh@...nel.crashing.org, paulus@...ba.org,
rth@...ddle.net, ink@...assic.park.msu.ru, mattst88@...il.com,
tony.luck@...el.com, fenghua.yu@...el.com, schnelle@...ux.ibm.com,
gerald.schaefer@...ux.ibm.com, hca@...ux.ibm.com,
gor@...ux.ibm.com, borntraeger@...ibm.com, davem@...emloft.net,
tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, x86@...nel.org,
hpa@...or.com, James.Bottomley@...senPartnership.com, deller@....de
Cc: sfr@...b.auug.org.au, hch@....de, linuxppc-dev@...ts.ozlabs.org,
linux-kernel@...r.kernel.org, linux-alpha@...r.kernel.org,
linux-ia64@...r.kernel.org, linux-s390@...r.kernel.org,
sparclinux@...r.kernel.org, linux-parisc@...r.kernel.org
Subject: [RESEND][PATCH 7/7] parisc: Avoid overflow at boundary_size
The boundary_size might be as large as ULONG_MAX, which means
that a device has no specific boundary limit. So either "+ 1"
or passing it to ALIGN() would potentially overflow.
According to kernel defines:
#define ALIGN_MASK(x, mask) (((x) + (mask)) & ~(mask))
#define ALIGN(x, a) ALIGN_MASK(x, (typeof(x))(a) - 1)
We can simplify the logic here:
ALIGN(boundary + 1, 1 << shift) >> shift
= ALIGN_MASK(b + 1, (1 << s) - 1) >> s
= {[b + 1 + (1 << s) - 1] & ~[(1 << s) - 1]} >> s
= [b + 1 + (1 << s) - 1] >> s
= [b + (1 << s)] >> s
= (b >> s) + 1
So fixing a potential overflow with the safer shortcut.
Signed-off-by: Nicolin Chen <nicoleotsuka@...il.com>
Cc: Christoph Hellwig <hch@....de>
---
drivers/parisc/ccio-dma.c | 4 ++--
drivers/parisc/sba_iommu.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c
index a5507f75b524..c667d6aba764 100644
--- a/drivers/parisc/ccio-dma.c
+++ b/drivers/parisc/ccio-dma.c
@@ -356,8 +356,8 @@ ccio_alloc_range(struct ioc *ioc, struct device *dev, size_t size)
** ggg sacrifices another 710 to the computer gods.
*/
- boundary_size = ALIGN((unsigned long long)dma_get_seg_boundary(dev) + 1,
- 1ULL << IOVP_SHIFT) >> IOVP_SHIFT;
+ /* Overflow-free shortcut for: ALIGN(b + 1, 1 << s) >> s */
+ boundary_size = (dma_get_seg_boundary(dev) >> IOVP_SHIFT) + 1;
if (pages_needed <= 8) {
/*
diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c
index d4314fba0269..96bc2c617cbd 100644
--- a/drivers/parisc/sba_iommu.c
+++ b/drivers/parisc/sba_iommu.c
@@ -342,8 +342,8 @@ sba_search_bitmap(struct ioc *ioc, struct device *dev,
unsigned long shift;
int ret;
- boundary_size = ALIGN((unsigned long long)dma_get_seg_boundary(dev) + 1,
- 1ULL << IOVP_SHIFT) >> IOVP_SHIFT;
+ /* Overflow-free shortcut for: ALIGN(b + 1, 1 << s) >> s */
+ boundary_size = (dma_get_seg_boundary(dev) >> IOVP_SHIFT) + 1;
#if defined(ZX1_SUPPORT)
BUG_ON(ioc->ibase & ~IOVP_MASK);
--
2.17.1
Powered by blists - more mailing lists