Hello Dan Williams,
The patch 62232e45f4a2: "libnvdimm: control (ioctl) messages for
nvdimm_bus and nvdimm devices" from Jun 8, 2015, leads to the
following static checker warning:
drivers/acpi/nfit/core.c:611 acpi_nfit_ctl()
error: 'out_size' from user is not capped properly
drivers/acpi/nfit/core.c
594 for (i = 0, offset = 0; i < desc->out_num; i++) {
595 u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
596 (u32 *) out_obj->buffer.pointer,
597 out_obj->buffer.length - offset);
598
599 if (offset + out_size > out_obj->buffer.length) {
^^^^^^^^^^^^^^^^^
It looks like this addition could have an integer overflow bug.
600 dev_dbg(dev, "%s output object underflow cmd: %s field: %d\n",
601 dimm_name, cmd_name, i);
602 break;
603 }
604
605 if (in_buf.buffer.length + offset + out_size > buf_len) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The comments suggest that this is safe. I don't know the code.
606 dev_dbg(dev, "%s output overrun cmd: %s field: %d\n",
607 dimm_name, cmd_name, i);
608 rc = -ENXIO;
609 goto out;
610 }
611 memcpy(buf + in_buf.buffer.length + offset,
612 out_obj->buffer.pointer + offset, out_size);
613 offset += out_size;
614 }
615
regards,
dan carpenter
