From: Dan Carpenter <dan.carpenter@oracle.com>
To: Derek Kiernan <derek.kiernan@xilinx.com>,
Dragan Cvetic <dragan.cvetic@xilinx.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
kernel-janitors@vger.kernel.org,
Michal Simek <michal.simek@xilinx.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write()
Date: Wed, 21 Aug 2019 10:11:22 +0300 [thread overview]
Message-ID: <20190821071122.GD26957@mwanda> (raw)
In-Reply-To: <20190821070606.GA26957@mwanda>
The checking here needs to handle integer overflows because "offset" and
"len" come from the user.
Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/misc/xilinx_sdfec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
index 3fc53d20abf3..0bf3bcc8e1ef 100644
--- a/drivers/misc/xilinx_sdfec.c
+++ b/drivers/misc/xilinx_sdfec.c
@@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset,
* Writes that go beyond the length of
* Shared Scale(SC) table should fail
*/
- if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) {
+ if (offset > depth / XSDFEC_REG_WIDTH_JUMP ||
+ len > depth / XSDFEC_REG_WIDTH_JUMP ||
+ offset + len > depth / XSDFEC_REG_WIDTH_JUMP) {
dev_dbg(xsdfec->dev, "Write exceeds SC table length");
return -EINVAL;
}
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-08-21 7:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-21 7:06 [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Dan Carpenter
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
2019-08-22 8:16 ` Michal Simek
2019-08-22 8:31 ` [PATCH 2/4 v2] " Dan Carpenter
2019-08-22 17:47 ` [PATCH 2/4] " Dragan Cvetic
2019-08-21 7:09 ` [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write() Dan Carpenter
2019-08-22 8:18 ` Michal Simek
2019-08-23 8:23 ` Dragan Cvetic
2019-08-21 7:11 ` Dan Carpenter [this message]
2019-08-22 8:27 ` [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() Michal Simek
2019-08-22 17:55 ` Dragan Cvetic
2019-08-22 8:14 ` [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Michal Simek
2019-08-22 8:28 ` Dan Carpenter
2019-08-22 8:49 ` Michal Simek
2019-08-22 17:47 ` Dragan Cvetic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190821071122.GD26957@mwanda \
--to=dan.carpenter@oracle.com \
--cc=arnd@arndb.de \
--cc=derek.kiernan@xilinx.com \
--cc=dragan.cvetic@xilinx.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michal.simek@xilinx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).