lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ccb81bc5-3c5c-46df-9f52-d6b6de790e1e@mev.co.uk>
Date: Thu, 18 Jan 2024 11:11:18 +0000
From: Ian Abbott <abbotti@....co.uk>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Denis Arefev <arefev@...mel.ru>
Cc: H Hartley Sweeten <hsweeten@...ionengravers.com>,
 open list <linux-kernel@...r.kernel.org>, lvc-project@...uxtesting.org
Subject: Re: [PATCH] comedi: drivers: ni_tio: Fix arithmetic expression
 overflow

On 18/01/2024 09:32, Greg Kroah-Hartman wrote:
> On Thu, Jan 18, 2024 at 10:36:19AM +0300, Denis Arefev wrote:
>> The value of an arithmetic expression period_ns * 1000 is subject
>> to overflow due to a failure to cast operands to a larger data
>> type before performing arithmetic
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Reviewed-by: Ian Abbott <abbotti@....co.uk>
>> Signed-off-by: Denis Arefev <arefev@...mel.ru>
>> ---
>>   drivers/comedi/drivers/ni_tio.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/comedi/drivers/ni_tio.c b/drivers/comedi/drivers/ni_tio.c
>> index da6826d77e60..acc914903c70 100644
>> --- a/drivers/comedi/drivers/ni_tio.c
>> +++ b/drivers/comedi/drivers/ni_tio.c
>> @@ -800,7 +800,7 @@ static int ni_tio_set_clock_src(struct ni_gpct *counter,
>>   				GI_PRESCALE_X2(counter_dev->variant) |
>>   				GI_PRESCALE_X8(counter_dev->variant), bits);
>>   	}
>> -	counter->clock_period_ps = period_ns * 1000;
>> +	counter->clock_period_ps = period_ns * 1000UL;
> 
> Can period_ns ever be "too big" to cause such an overflow?

The period_ns value comes from user-space and could be any unsigned int 
value.  It's used to let the driver know the period of an external clock 
source.

> And what commit id does this fix?

Fixes: 3e90b1c7ebe9 ("staging: comedi: ni_tio: tidy up 
ni_tio_set_clock_src() and helpers")
Cc: <stable@...r.kernel.org> # v5.15+

The first affected kernel version is v3.17.  This patch should apply 
cleanly to v5.13 onwards (when comedi was moved out of drivers/staging), 
but earlier stable/longterm kernels would require a backported patch.

@Denis, if you could add the above Fixes: and Cc: lines to a v2 patch, 
that would be great!

> 
> thanks,
> 
> greg k-h

-- 
-=( Ian Abbott <abbotti@....co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ