[PATCH] paride: Fixed integer overflow in pt_read and pt_write

From: Hyunwoo Kim
Date: Sat Jun 18 2022 - 23:40:38 EST


In pt_read() and pt_write(), the "size_t count" variable is
assigned to the "int n" variable and then size check is performed.

static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
{
...
int k, n, r, p, s, t, b;

...

while (count > 0) {

if (!pt_poll_dsc(tape, HZ / 100, PT_TMO, "write"))
return -EIO;

n = count;
if (n > 32768)
n = 32768; /* max per command */

If the user passes the SIZE_MAX value to the "count" variable,
the "n" value is greater than 32768, but it becomes a negative
number and passes the size check.
In other words, we need to add a negative check as well,
since the size check makes no sense.

Signed-off-by: Hyunwoo Kim <imv4bel@xxxxxxxxx>
---
drivers/block/paride/pt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c
index e815312a00ad..f37aa1349622 100644
--- a/drivers/block/paride/pt.c
+++ b/drivers/block/paride/pt.c
@@ -787,7 +787,7 @@ static ssize_t pt_read(struct file *filp, char __user *buf, size_t count, loff_t
return -EIO;

n = count;
- if (n > 32768)
+ if (n > 32768 || n < 0)
n = 32768; /* max per command */
b = (n - 1 + tape->bs) / tape->bs;
n = b * tape->bs; /* rounded up to even block */
@@ -888,7 +888,7 @@ static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count,
return -EIO;

n = count;
- if (n > 32768)
+ if (n > 32768 || n < 0)
n = 32768; /* max per command */
b = (n - 1 + tape->bs) / tape->bs;
n = b * tape->bs; /* rounded up to even block */
--
2.25.1