RE: [PATCH] staging: comedi: comedi_fops: fix possible overflow in do_chaninfo_ioctl()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday, August 13, 2015 7:29 AM, Ian Abbott wrote:
> On 12/08/15 19:39, Dan Carpenter wrote:
>> On Wed, Aug 12, 2015 at 10:30:47AM -0700, H Hartley Sweeten wrote:
>>> @@ -1061,6 +1061,14 @@ static int do_chaninfo_ioctl(struct comedi_device *dev,
>>>   	if (it.maxdata_list) {
>>>   		if (s->maxdata || !s->maxdata_list)
>>>   			return -EINVAL;
>>> +		/*
>>> +		 * s->n_chan is usually <= 32 but _some_ comedi drivers
>>> +		 * do have more. Do a simple sanity check to make sure
>>> +		 * copy_to_user() does not overflow. In reality this
>>> +		 * should never fail...
>>> +		 */
>>> +		if (s->n_chan > (0xffffffff / sizeof(unsigned int)))
>>> +			return -EINVAL;
>>>   		if (copy_to_user(it.maxdata_list, s->maxdata_list,
>>>   				 s->n_chan * sizeof(unsigned int)))
>>
>>
>> This change doesn't make sense because an integer overflow here would be
>> basically harmless.  I don't like silencing false positives in this way.
>> It's better to ignore the warning.
>>
>> The bounds err in ni6501_port_command() was a false positive too, but
>> the fix for that made to code more readable so it was a good thing.
>
> Would a sanity check in __comedi_device_postconfig() 
>  ("drivers/staging/comedi/drivers.c") to prevent s->n_chan being set to a 
> silly value in the first place suppress the coverity issue?

Ian,

I'm not sure if coverity would handle the static analysis enough to detect
that s->n_chan had been bounds checked in drivers.c when if detects the
possible overflow in comedi_fops.c.

Regardless, I think a bounds check in __comedi_device_postconfig() is a good
idea. Maybe it should be a check against a define (COMEDI_NCHANS_MAX)?
That way something reasonable (256 or 1024?) can be used and if someone
_should_ make a board that has more it's easy to update.

Currently the largest s->n_chan appears to be 256 (in the addi_apci_3501 and
cb_pcidas drivers). I think these drivers only support that many channels by
using some external add-on boards.

Regards,
Hartley
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux