From: Mathieu Poirier <mathieu.poirier@linaro.org>
To: stable@vger.kernel.org
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-pm@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-omap@vger.kernel.org, linux-i2c@vger.kernel.org,
linux-pci@vger.kernel.org, linux-mtd@lists.infradead.org
Subject: [BACKPORT 4.14.y 09/18] misc: pci_endpoint_test: Prevent some integer overflows
Date: Thu, 5 Sep 2019 10:17:50 -0600 [thread overview]
Message-ID: <20190905161759.28036-10-mathieu.poirier@linaro.org> (raw)
In-Reply-To: <20190905161759.28036-1-mathieu.poirier@linaro.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 378f79cab12b669928f3a4037f023837ead2ce0c upstream
"size + max" can have an arithmetic overflow when we're allocating:
orig_src_addr = dma_alloc_coherent(dev, size + alignment, ...
I've added a few checks to prevent that.
Fixes: 13107c60681f ("misc: pci_endpoint_test: Add support to provide aligned buffer addresses")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
---
drivers/misc/pci_endpoint_test.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c
index 9849bf183299..504fa680825d 100644
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -226,6 +226,9 @@ static bool pci_endpoint_test_copy(struct pci_endpoint_test *test, size_t size)
u32 src_crc32;
u32 dst_crc32;
+ if (size > SIZE_MAX - alignment)
+ goto err;
+
orig_src_addr = dma_alloc_coherent(dev, size + alignment,
&orig_src_phys_addr, GFP_KERNEL);
if (!orig_src_addr) {
@@ -311,6 +314,9 @@ static bool pci_endpoint_test_write(struct pci_endpoint_test *test, size_t size)
size_t alignment = test->alignment;
u32 crc32;
+ if (size > SIZE_MAX - alignment)
+ goto err;
+
orig_addr = dma_alloc_coherent(dev, size + alignment, &orig_phys_addr,
GFP_KERNEL);
if (!orig_addr) {
@@ -369,6 +375,9 @@ static bool pci_endpoint_test_read(struct pci_endpoint_test *test, size_t size)
size_t alignment = test->alignment;
u32 crc32;
+ if (size > SIZE_MAX - alignment)
+ goto err;
+
orig_addr = dma_alloc_coherent(dev, size + alignment, &orig_phys_addr,
GFP_KERNEL);
if (!orig_addr) {
--
2.17.1
next prev parent reply other threads:[~2019-09-05 16:19 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-05 16:17 [BACKPORT 4.14.y 00/18] Backport candidate from TI 4.14 product kernel Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 01/18] PCI: designware-ep: Fix find_first_zero_bit() usage Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 02/18] PCI: dra7xx: Fix legacy INTD IRQ handling Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 03/18] drm/omap: panel-dsi-cm: fix driver Mathieu Poirier
2019-09-10 14:34 ` Greg KH
2019-09-11 11:48 ` Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 04/18] usb: dwc3: Allow disabling of metastability workaround Mathieu Poirier
2019-09-10 14:36 ` Greg KH
2019-09-11 14:01 ` Mathieu Poirier
2019-11-11 9:16 ` Greg KH
2019-09-05 16:17 ` [BACKPORT 4.14.y 05/18] mfd: palmas: Assign the right powerhold mask for tps65917 Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 06/18] ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 07/18] mtd: spi-nor: enable 4B opcodes for mx66l51235l Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 08/18] mtd: spi-nor: cadence-quadspi: add a delay in write sequence Mathieu Poirier
2019-09-05 16:17 ` Mathieu Poirier [this message]
2019-09-05 16:17 ` [BACKPORT 4.14.y 10/18] PCI: dra7xx: Add shutdown handler to cleanly turn off clocks Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 11/18] misc: pci_endpoint_test: Fix BUG_ON error during pci_disable_msi() Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 12/18] mailbox: reset txdone_method TXDONE_BY_POLL if client knows_txdone Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 13/18] ASoC: tlv320dac31xx: mark expected switch fall-through Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 14/18] ASoC: davinci-mcasp: Handle return value of devm_kasprintf Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 15/18] ASoC: davinci: Kill BUG_ON() usage Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 16/18] ASoC: davinci-mcasp: Fix an error handling path in 'davinci_mcasp_probe()' Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 17/18] i2c: omap: Trigger bus recovery in lockup case Mathieu Poirier
2019-09-05 16:17 ` [BACKPORT 4.14.y 18/18] cpufreq: ti-cpufreq: add missing of_node_put() Mathieu Poirier
2019-09-05 16:24 ` [BACKPORT 4.14.y 00/18] Backport candidate from TI 4.14 product kernel Wolfram Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190905161759.28036-10-mathieu.poirier@linaro.org \
--to=mathieu.poirier@linaro.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-omap@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).