All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zheng Yejian <zhengyejian1@huawei.com>,
	Hanjun Guo <guohanjun@huawei.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	Vlastimil Babka <vbabka@suse.cz>,
	Zhang Jinhao <zhangjinhao2@huawei.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Sasha Levin <sashal@kernel.org>,
	mcgrof@kernel.org, willy@infradead.org, tangmeng@uniontech.com
Subject: [PATCH AUTOSEL 5.10 8/9] acct: fix potential integer overflow in encode_comp_t()
Date: Sat, 17 Dec 2022 10:29:25 -0500	[thread overview]
Message-ID: <20221217152927.99012-8-sashal@kernel.org> (raw)
In-Reply-To: <20221217152927.99012-1-sashal@kernel.org>

From: Zheng Yejian <zhengyejian1@huawei.com>

[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ]

The integer overflow is descripted with following codes:
  > 317 static comp_t encode_comp_t(u64 value)
  > 318 {
  > 319         int exp, rnd;
    ......
  > 341         exp <<= MANTSIZE;
  > 342         exp += value;
  > 343         return exp;
  > 344 }

Currently comp_t is defined as type of '__u16', but the variable 'exp' is
type of 'int', so overflow would happen when variable 'exp' in line 343 is
greater than 65535.

Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Cc: Hanjun Guo <guohanjun@huawei.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Zhang Jinhao <zhangjinhao2@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/acct.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/acct.c b/kernel/acct.c
index f175df8f6aa4..12f7dacf560e 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -331,6 +331,8 @@ static comp_t encode_comp_t(unsigned long value)
 		exp++;
 	}
 
+	if (exp > (((comp_t) ~0U) >> MANTSIZE))
+		return (comp_t) ~0U;
 	/*
 	 * Clean it up and polish it off.
 	 */
-- 
2.35.1


  parent reply	other threads:[~2022-12-17 15:36 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-17 15:29 [PATCH AUTOSEL 5.10 1/9] fs: jfs: fix shift-out-of-bounds in dbAllocAG Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 2/9] udf: Avoid double brelse() in udf_rename() Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 3/9] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 4/9] ACPICA: Fix error code path in acpi_ds_call_control_method() Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 5/9] proc/vmcore: fix potential memory leak in vmcore_init() Sasha Levin
2022-12-17 15:29   ` Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 6/9] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Sasha Levin
2022-12-17 15:29   ` Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 7/9] nilfs2: fix shift-out-of-bounds due to too large exponent of block size Sasha Levin
2022-12-17 15:29   ` Sasha Levin
2022-12-17 15:29 ` Sasha Levin [this message]
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 9/9] hfs: fix OOB Read in __hfs_brec_find Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221217152927.99012-8-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=guohanjun@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=rdunlap@infradead.org \
    --cc=stable@vger.kernel.org \
    --cc=tangmeng@uniontech.com \
    --cc=vbabka@suse.cz \
    --cc=willy@infradead.org \
    --cc=zhangjinhao2@huawei.com \
    --cc=zhengyejian1@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.