Re: [PATCH 1/2] staging: unisys: visorbus: address theoretical int overflows

From: Dan Carpenter
Date: Tue Nov 28 2017 - 09:12:10 EST


> --- a/drivers/staging/unisys/visorbus/visorchipset.c
> +++ b/drivers/staging/unisys/visorbus/visorchipset.c
> @@ -581,7 +581,8 @@ static void *parser_name_get(struct parser_context *ctx)
> struct visor_controlvm_parameters_header *phdr;
>
> phdr = &ctx->data;
> - if (phdr->name_offset + phdr->name_length > ctx->param_bytes)
> + if ((unsigned long)phdr->name_offset +
> + (unsigned long)phdr->name_length > ctx->param_bytes)
> return NULL;
> ctx->curr = (char *)&phdr + phdr->name_offset;
> ctx->bytes_remaining = phdr->name_length;


I haven't reviewed this code very thouroughly. This should fix the
issue on 64 bit systems, but it's a no-op on 32 bit systems. Which
might be fine? I would be more comfortable if we just checked for
integer overflow explicitly. There are bunch of ways to do that:

if (phdr->name_offset > ctx->param_bytes ||
phdr->name_length > ctx->param_bytes ||
phdr->name_offset + phdr->name_length > ctx->param_bytes)

Or:

if (phdr->name_offset + phdr->name_length < phdr->name_offset ||
phdr->name_offset + phdr->name_length > ctx->param_bytes)
return NULL;

regards,
dan carpenter