lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aJMVFUQXdMPo+l3i@yilunxu-OptiPlex-7050>
Date: Wed, 6 Aug 2025 16:40:53 +0800
From: Xu Yilun <yilun.xu@...ux.intel.com>
To: xiehongyu1@...inos.cn
Cc: yilun.xu@...el.com, trix@...hat.com, linux-kernel@...r.kernel.org,
	linux-fpga@...r.kernel.org, mdf@...nel.org
Subject: Re: [PATCH v1] fpga: afu: fix potential intege overflow

On Mon, Aug 04, 2025 at 04:25:23PM +0800, xiehongyu1@...inos.cn wrote:
> From: Hongyu Xie <xiehongyu1@...inos.cn>
> 
> Overflow Scenarios:
> 1, region->offset + region->size Overflow:
>   When region->offset is close to U64_MAX and region->size is
> sufficiently large, the addition result may wrap around to a
> very small value (e.g., 0 or near 0).
>   In this case, even if the target range [offset, offset+size)
> falls within the region, the condition region->offset +
> region->size >= offset + size will fail due to the wrapped
> value being small. This causes the function to erroneously
> return -EINVAL.
> 
> 2, offset + size Overflow:
>   When offset is close to U64_MAX and size is large, offset +
> size wraps around to a small value.
> 
>   Here, region->offset + region->size (which would be a large
> value if not overflowing) might incorrectly satisfy
> region->offset + region->size >= offset + size due to the
> wrapped small value. This leads to a false match, even though
> the actual range [offset, offset+size) spans the wrap-around
> boundary and does not belong to this region.
> 
> So fix these two scenarios.
> 
> Signed-off-by: Hongyu Xie <xiehongyu1@...inos.cn>
> ---
>  drivers/fpga/dfl-afu-region.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/fpga/dfl-afu-region.c b/drivers/fpga/dfl-afu-region.c
> index b11a5b21e666..449c2ae809bd 100644
> --- a/drivers/fpga/dfl-afu-region.c
> +++ b/drivers/fpga/dfl-afu-region.c
> @@ -157,7 +157,8 @@ int afu_mmio_region_get_by_offset(struct dfl_feature_dev_data *fdata,
>  	afu = dfl_fpga_fdata_get_private(fdata);
>  	for_each_region(region, afu)
>  		if (region->offset <= offset &&
> -		    region->offset + region->size >= offset + size) {
> +		    region->size >= size &&
> +		    (offset - region->offset) <= (region->size - size)) {

You don't have to use these tricks, they make the code hard to
understand. If you care about the overflow, just pick some helpers from
overflow.h

And don't check region->offset + region->size for every get, they should
be properly initialized at the very beginning.

Thanks,
Yilun

>  			*pregion = *region;
>  			goto exit;
>  		}
> -- 
> 2.25.1
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ