From: Alison Schofield <alison.schofi...@intel.com>
A param.offset is parsed using parse_size64() but the result is
not checked for the error return ULLONG_MAX. If ULLONG_MAX is
returned, follow-on calculations will lead to overflow.
Add check for ULLONG_MAX upon return from parse_size64.
Add check for overflow in subsequent PFN_MODE offset calculation.
This issue was reported in a coverity scan.
Signed-off-by: Alison Schofield <alison.schofi...@intel.com>
Reviewed-by: Dave Jiang <dave.ji...@intel.com>
---
ndctl/namespace.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/ndctl/namespace.c b/ndctl/namespace.c
index 6c86eadcad69..2cee1c4c1451 100644
--- a/ndctl/namespace.c
+++ b/ndctl/namespace.c
@@ -1873,6 +1873,10 @@ static int write_pfn_sb(int fd, unsigned long long size,
const char *sig,
int rc;
start = parse_size64(param.offset);
+ if (start == ULLONG_MAX) {
+ err("failed to parse offset option '%s'\n", param.offset);
+ return -EINVAL;
+ }
npfns = PHYS_PFN(size - SZ_8K);
pfn_align = parse_size64(param.align);
align = max(pfn_align, SUBSECTION_SIZE);
@@ -1914,6 +1918,10 @@ static int write_pfn_sb(int fd, unsigned long long size,
const char *sig,
* struct page size. But we also want to make sure we notice
* when we end up adding new elements to struct page.
*/
+ if (start > ULLONG_MAX - (SZ_8K + MAX_STRUCT_PAGE_SIZE *
npfns)) {
+ error("integer overflow in offset calculation\n");
+ return -EINVAL;
+ }
offset = ALIGN(start + SZ_8K + MAX_STRUCT_PAGE_SIZE * npfns,
align)
- start;
} else
--
2.37.3
