• D
    genwqe: Prevent an integer overflow in the ioctl · 67bdeb0c
    Dan Carpenter 提交于
    commit 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 upstream.
    
    There are a couple potential integer overflows here.
    
    	round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE);
    
    The first thing is that the "m->size + (...)" addition could overflow,
    and the second is that round_up() overflows to zero if the result is
    within PAGE_SIZE of the type max.
    
    In this code, the "m->size" variable is an u64 but we're saving the
    result in "map_size" which is an unsigned long and genwqe_user_vmap()
    takes an unsigned long as well.  So I have used ULONG_MAX as the upper
    bound.  From a practical perspective unsigned long is fine/better than
    trying to change all the types to u64.
    
    Fixes: eaf4722d ("GenWQE Character device and DDCB queue")
    Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    67bdeb0c
card_utils.c 27.3 KB