lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 26 May 2021 13:49:34 -0300
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     Colin King <colin.king@...onical.com>
Cc:     Jérôme Glisse <jglisse@...hat.com>,
        Alistair Popple <apopple@...dia.com>,
        Ralph Campbell <rcampbell@...dia.com>,
        Stephen Rothwell <sfr@...b.auug.org.au>,
        Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
        kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH][next] mm: selftests: fix potential integer overflow on
 shift of a int

On Wed, May 26, 2021 at 04:09:47PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@...onical.com>
> 
> The left shift of the int mapped is evaluated using 32 bit arithmetic
> and then assigned to an unsigned long. In the case where mapped is
> 0x80000 when PAGE_SHIFT is 12 will lead to the upper bits being
> sign extended in the unsigned long. Larger values can lead to an
> int overflow. Avoid this by casting mapped to unsigned long before
> shifting.
> 
> Addresses-Coverity: ("Uninitentional integer overflow")
> Fixes: 8b2a105c3794 ("mm: selftests for exclusive device memory")
> Signed-off-by: Colin Ian King <colin.king@...onical.com>
>  lib/test_hmm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/test_hmm.c b/lib/test_hmm.c
> index 74d69f87691e..b54657701b3a 100644
> +++ b/lib/test_hmm.c
> @@ -749,7 +749,7 @@ static int dmirror_exclusive(struct dmirror *dmirror,
>  			}
>  		}
>  
> -		if (addr + (mapped << PAGE_SHIFT) < next) {
> +		if (addr + ((unsigned int)mapped << PAGE_SHIFT) < next) {

Just fix the type for mapped. It started out as an unsigned long in
dmirror_atomic_map() and wrongly became an int here

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ