On 3/3/25 5:37 PM, [email protected] wrote:
> From: Alison Schofield <[email protected]>
>
> A param.offset is parsed using parse_size64() but the result is
> not checked for the error return ULLONG_MAX. If ULLONG_MAX is
> returned, follow-on calculations will lead to overflow.
>
> Add check for ULLONG_MAX upon return from parse_size64.
> Add check for overflow in subsequent PFN_MODE offset calculation.
>
> This issue was reported in a coverity scan.
>
> Signed-off-by: Alison Schofield <[email protected]>
Reviewed-by: Dave Jiang <[email protected]>
> ---
> ndctl/namespace.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/ndctl/namespace.c b/ndctl/namespace.c
> index 5eb9e1e98e11..40bcf4ca65ac 100644
> --- a/ndctl/namespace.c
> +++ b/ndctl/namespace.c
> @@ -1872,6 +1872,10 @@ static int write_pfn_sb(int fd, unsigned long long
> size, const char *sig,
> int rc;
>
> start = parse_size64(param.offset);
> + if (start == ULLONG_MAX) {
> + err("failed to parse offset option '%s'\n", param.offset);
> + return -EINVAL;
> + }
> npfns = PHYS_PFN(size - SZ_8K);
> pfn_align = parse_size64(param.align);
> align = max(pfn_align, SUBSECTION_SIZE);
> @@ -1913,6 +1917,10 @@ static int write_pfn_sb(int fd, unsigned long long
> size, const char *sig,
> * struct page size. But we also want to make sure we notice
> * when we end up adding new elements to struct page.
> */
> + if (start > ULLONG_MAX - (SZ_8K + MAX_STRUCT_PAGE_SIZE *
> npfns)) {
> + error("integer overflow in offset calculation\n");
> + return -EINVAL;
> + }
> offset = ALIGN(start + SZ_8K + MAX_STRUCT_PAGE_SIZE * npfns,
> align)
> - start;
> } else
