Hi Dan, > -----Original Message----- > From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx] > Sent: Wednesday 21 August 2019 08:11 > To: Derek Kiernan <dkiernan@xxxxxxxxxx>; Dragan Cvetic <draganc@xxxxxxxxxx> > Cc: Arnd Bergmann <arnd@xxxxxxxx>; Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>; Michal Simek <michals@xxxxxxxxxx>; > linux-arm-kernel@xxxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; kernel-janitors@xxxxxxxxxxxxxxx > Subject: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() > > The checking here needs to handle integer overflows because "offset" and > "len" come from the user. Good catch, thanks. > > Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC") > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > drivers/misc/xilinx_sdfec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c > index 3fc53d20abf3..0bf3bcc8e1ef 100644 > --- a/drivers/misc/xilinx_sdfec.c > +++ b/drivers/misc/xilinx_sdfec.c > @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset, > * Writes that go beyond the length of > * Shared Scale(SC) table should fail > */ > - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) { > + if (offset > depth / XSDFEC_REG_WIDTH_JUMP || > + len > depth / XSDFEC_REG_WIDTH_JUMP || > + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) { > dev_dbg(xsdfec->dev, "Write exceeds SC table length"); > return -EINVAL; > } > -- > 2.20.1 Reviewed-by: Dragan Cvetic <dragan.cvetic@xxxxxxxxxx> Thanks Dragan
