linux/drivers/nvdimm
Dan Williams 58738c495e libnvdimm: fix integer overflow static analysis warning
Dan reports:
    The patch 62232e45f4: "libnvdimm: control (ioctl) messages for
    nvdimm_bus and nvdimm devices" from Jun 8, 2015, leads to the
    following static checker warning:

            drivers/nvdimm/bus.c:1018 __nd_ioctl()
            warn: integer overflows 'buf_len'

    From a casual review, this seems like it might be a real bug.  On
    the first iteration we load some data into in_env[].  On the second
    iteration we read a use controlled "in_size" from nd_cmd_in_size().
    It can go up to UINT_MAX - 1.  A high number means we will fill the
    whole in_env[] buffer.  But we potentially keep looping and adding
    more to in_len so now it can be any value.

    It simple enough to change, but it feels weird that we keep looping
    even though in_env is totally full.  Shouldn't we just return an
    error if we don't have space for desc->in_num.

We keep looping because the size of the total input is allowed to be
bigger than the 'envelope' which is a subset of the payload that tells
us how much data to expect. For safety explicitly check that buf_len
does not overflow which is what the checker flagged.

Cc: <stable@vger.kernel.org>
Fixes: 62232e45f4: "libnvdimm: control (ioctl) messages for nvdimm_bus..."
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2017-08-31 15:41:55 -07:00
..
blk.c block: guard bvec iteration logic 2017-07-03 16:56:26 -06:00
btt_devs.c libnvdimm: rename nd_sector_size_{show,store} to nd_size_select_{show,store} 2017-08-11 17:36:54 -07:00
btt.c libnvdimm, btt: rework error clearing 2017-08-31 15:05:10 -07:00
btt.h libnvdimm, btt: rework error clearing 2017-08-31 15:05:10 -07:00
bus.c libnvdimm: fix integer overflow static analysis warning 2017-08-31 15:41:55 -07:00
claim.c libnvdimm, btt: rework error clearing 2017-08-31 15:05:10 -07:00
core.c libnvdimm: rename nd_sector_size_{show,store} to nd_size_select_{show,store} 2017-08-11 17:36:54 -07:00
dax_devs.c Merge branch 'for-4.13/dax' into libnvdimm-for-next 2017-07-03 16:54:58 -07:00
dimm_devs.c libnvdimm, nfit: enable support for volatile ranges 2017-06-27 16:44:13 -07:00
dimm.c libnvdimm: handle locked label storage areas 2017-05-04 15:41:39 -07:00
e820.c libnvdimm, e820: use module_platform_driver 2016-12-05 08:52:21 -08:00
Kconfig pmem: add dax_operations support 2017-04-19 15:14:35 -07:00
label.c libnvdimm, label: fix index block size calculation 2017-08-29 18:28:18 -07:00
label.h libnvdimm, btt: BTT updates for UEFI 2.7 format 2017-06-29 13:50:38 -07:00
Makefile libnvdimm, dax: introduce device-dax infrastructure 2016-05-09 15:35:42 -07:00
namespace_devs.c libnvdimm: rename nd_sector_size_{show,store} to nd_size_select_{show,store} 2017-08-11 17:36:54 -07:00
nd-core.h libnvdimm, nfit: enable support for volatile ranges 2017-06-27 16:44:13 -07:00
nd.h libnvdimm, label: fix index block size calculation 2017-08-29 18:28:18 -07:00
pfn_devs.c libnvdimm, pfn, dax: limit namespace alignments to the supported set 2017-08-15 09:32:12 -07:00
pfn.h libnvdimm, dax: autodetect support 2016-05-20 22:02:57 -07:00
pmem.c libnvdimm for 4.13 2017-07-07 09:44:06 -07:00
pmem.h libnvdimm, nd_blk: remove mmio_flush_range() 2017-08-31 15:05:10 -07:00
region_devs.c nfit, libnvdimm, region: export 'position' in mapping info 2017-08-04 17:20:16 -07:00
region.c libnvdimm, region, pmem: fix 'badblocks' sysfs_get_dirent() reference lifetime 2017-06-30 18:56:03 -07:00