| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Nov 2020 16:24:30 -0600
From: Bjorn Helgaas <helgaas@...nel.org>
To: Colin King <colin.king@...onical.com>
Cc: Bjorn Helgaas <bhelgaas@...gle.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
Christian König <christian.koenig@....com>,
Stephen Bates <sbates@...thlin.com>,
Logan Gunthorpe <logang@...tatee.com>,
Alex Williamson <alex.williamson@...hat.com>,
linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] PCI: fix a potential uninitentional integer overflow
issue
On Wed, Oct 07, 2020 at 03:33:45PM +0300, Dan Carpenter wrote:
> On Wed, Oct 07, 2020 at 12:46:15PM +0100, Colin King wrote:
> > From: Colin Ian King <colin.king@...onical.com>
> >
> > The shift of 1 by align_order is evaluated using 32 bit arithmetic
> > and the result is assigned to a resource_size_t type variable that
> > is a 64 bit unsigned integer on 64 bit platforms. Fix an overflow
> > before widening issue by using the BIT_ULL macro to perform the
> > shift.
> >
> > Addresses-Coverity: ("Uninitentional integer overflow")
s/Uninitentional/Unintentional/
Also in subject (please also capitalize subject)
Doesn't Coverity also assign an ID number for this specific issue?
Can you include that as well, e.g.,
Addresses-Coverity-ID: 1226899 ("Unintentional integer overflow")
> > Fixes: 07d8d7e57c28 ("PCI: Make specifying PCI devices in kernel parameters reusable")
> > Signed-off-by: Colin Ian King <colin.king@...onical.com>
> > ---
> > drivers/pci/pci.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
> > index 6d4d5a2f923d..1a5844d7af35 100644
> > --- a/drivers/pci/pci.c
> > +++ b/drivers/pci/pci.c
> > @@ -6209,7 +6209,7 @@ static resource_size_t pci_specified_resource_alignment(struct pci_dev *dev,
> > if (align_order == -1)
> > align = PAGE_SIZE;
> > else
> > - align = 1 << align_order;
> > + align = BIT_ULL(align_order);
>
> "align_order" comes from sscanf() so Smatch thinks it's not trusted.
> Anything above 63 is undefined behavior. There should be a bounds check
> on this but I don't know what the valid values of "align" are.
The spec doesn't explicitly say what the size limit for 64-bit BARs
is, but it does say 32-bit BARs can support up to 2GB (2^31). So I
infer that 2^63 would be the limit for 64-bit BARs.
What about something like the following? To me, BIT_ULL doesn't seem
like an advantage over "1ULL << ", but maybe there's a reason to use
it.
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 8b9bea8ba751..6e17d0a6828a 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -6197,19 +6197,21 @@ static resource_size_t pci_specified_resource_alignment(struct pci_dev *dev,
while (*p) {
count = 0;
if (sscanf(p, "%d%n", &align_order, &count) == 1 &&
- p[count] == '@') {
+ p[count] == '@') {
p += count + 1;
+ if (align_order > 63) {
+ pr_err("PCI: Invalid requested alignment (order %d)\n",
+ align_order);
+ align_order = PAGE_SHIFT;
+ }
} else {
- align_order = -1;
+ align_order = PAGE_SHIFT;
}
ret = pci_dev_str_match(dev, p, &p);
if (ret == 1) {
*resize = true;
- if (align_order == -1)
- align = PAGE_SIZE;
- else
- align = 1 << align_order;
+ align = 1ULL << align_order;
break;
} else if (ret < 0) {
pr_err("PCI: Can't parse resource_alignment parameter: %s\n",
Powered by blists - more mailing lists