Re: [PATCH] comedi: drivers: ni_tio: Fix arithmetic expression overflow
From: Ian Abbott
Date: Thu Jan 18 2024 - 08:37:30 EST
On 18/01/2024 09:32, Greg Kroah-Hartman wrote:
On Thu, Jan 18, 2024 at 10:36:19AM +0300, Denis Arefev wrote:
The value of an arithmetic expression period_ns * 1000 is subject
to overflow due to a failure to cast operands to a larger data
type before performing arithmetic
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reviewed-by: Ian Abbott <abbotti@xxxxxxxxx>
Signed-off-by: Denis Arefev <arefev@xxxxxxxxx>
---
drivers/comedi/drivers/ni_tio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/comedi/drivers/ni_tio.c b/drivers/comedi/drivers/ni_tio.c
index da6826d77e60..acc914903c70 100644
--- a/drivers/comedi/drivers/ni_tio.c
+++ b/drivers/comedi/drivers/ni_tio.c
@@ -800,7 +800,7 @@ static int ni_tio_set_clock_src(struct ni_gpct *counter,
GI_PRESCALE_X2(counter_dev->variant) |
GI_PRESCALE_X8(counter_dev->variant), bits);
}
- counter->clock_period_ps = period_ns * 1000;
+ counter->clock_period_ps = period_ns * 1000UL;
Can period_ns ever be "too big" to cause such an overflow?
The period_ns value comes from user-space and could be any unsigned int
value. It's used to let the driver know the period of an external clock
source.
And what commit id does this fix?
Fixes: 3e90b1c7ebe9 ("staging: comedi: ni_tio: tidy up
ni_tio_set_clock_src() and helpers")
Cc: <stable@xxxxxxxxxxxxxxx> # v5.15+
The first affected kernel version is v3.17. This patch should apply
cleanly to v5.13 onwards (when comedi was moved out of drivers/staging),
but earlier stable/longterm kernels would require a backported patch.
@Denis, if you could add the above Fixes: and Cc: lines to a v2 patch,
that would be great!
thanks,
greg k-h
--
-=( Ian Abbott <abbotti@xxxxxxxxx> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-