On Tue, Jun 22, 2021 at 09:56:42PM +0000, Nikolova, Tatyana E wrote:
> > > switch (req.reg_type) {
> > > case IRDMA_MEMREG_TYPE_QP:
> > > + if (req.sq_pages + req.rq_pages + shadow_pgcnt > iwmr-
> > >page_cnt) {
> >
> > Math on values from userspace should use the check overflow helpers or
> > otherwise be designed to be overflow safe
>
> The mem_reg_req fields sq_pages and rq_pages are u16 and the
> variable shadow_pgcnt is u8. They should be promoted to u32 when
> compared with iwmr->page_cnt which is u32. Isn't this overflow safe?
I didn't check the sizes carefully, and I'm always nervous about
relying on implicit promotion for security properties as it is so
subtle and easy to get screwed up during maintenance
> Is the issue you are mentioning about this line:
> > > + qpmr->shadow = (dma_addr_t)arr[req->sq_pages + req->rq_pages];
I assume this is safe because of the if above?
Jason
