• Dan Williams's avatar
    libnvdimm: fix integer overflow static analysis warning · 77b393af
    Dan Williams authored
    commit 58738c49 upstream.
    
    Dan reports:
        The patch 62232e45: "libnvdimm: control (ioctl) messages for
        nvdimm_bus and nvdimm devices" from Jun 8, 2015, leads to the
        following static checker warning:
    
                drivers/nvdimm/bus.c:1018 __nd_ioctl()
                warn: integer overflows 'buf_len'
    
        From a casual review, this seems like it might be a real bug.  On
        the first iteration we load some data into in_env[].  On the second
        iteration we read a use controlled "in_size" from nd_cmd_in_size().
        It can go up to UINT_MAX - 1.  A high number means we will fill the
        whole in_env[] buffer.  But we potentially keep looping and adding
        more to in_len so now it can be any value.
    
        It simple enough to change, but it feels weird that we keep looping
        even though in_env is totally full.  Shouldn't we just return an
        error if we don't have space for desc->in_num.
    
    We keep looping because the size of the total input is allowed to be
    bigger than the 'envelope' which is a subset of the payload that tells
    us how much data to expect. For safety explicitly check that buf_len
    does not overflow which is what the checker flagged.
    
    Fixes: 62232e45: "libnvdimm: control (ioctl) messages for nvdimm_bus..."
    Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    77b393af
bus.c 28.1 KB