This is a note to let you know that I've just added the patch titled
misc: pci_endpoint_test: Prevent some integer overflows
to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summ...
The filename of the patch is: misc-pci_endpoint_test-prevent-some-integer-overflows.patch and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From foo@baz Mon 11 Nov 2019 10:07:22 AM CET
From: Mathieu Poirier mathieu.poirier@linaro.org Date: Thu, 5 Sep 2019 10:17:50 -0600 Subject: misc: pci_endpoint_test: Prevent some integer overflows To: stable@vger.kernel.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-omap@vger.kernel.org, linux-i2c@vger.kernel.org, linux-pci@vger.kernel.org, linux-mtd@lists.infradead.org Message-ID: 20190905161759.28036-10-mathieu.poirier@linaro.org
From: Dan Carpenter dan.carpenter@oracle.com
commit 378f79cab12b669928f3a4037f023837ead2ce0c upstream
"size + max" can have an arithmetic overflow when we're allocating:
orig_src_addr = dma_alloc_coherent(dev, size + alignment, ...
I've added a few checks to prevent that.
Fixes: 13107c60681f ("misc: pci_endpoint_test: Add support to provide aligned buffer addresses") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Mathieu Poirier mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/misc/pci_endpoint_test.c | 9 +++++++++ 1 file changed, 9 insertions(+)
--- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -226,6 +226,9 @@ static bool pci_endpoint_test_copy(struc u32 src_crc32; u32 dst_crc32;
+ if (size > SIZE_MAX - alignment) + goto err; + orig_src_addr = dma_alloc_coherent(dev, size + alignment, &orig_src_phys_addr, GFP_KERNEL); if (!orig_src_addr) { @@ -311,6 +314,9 @@ static bool pci_endpoint_test_write(stru size_t alignment = test->alignment; u32 crc32;
+ if (size > SIZE_MAX - alignment) + goto err; + orig_addr = dma_alloc_coherent(dev, size + alignment, &orig_phys_addr, GFP_KERNEL); if (!orig_addr) { @@ -369,6 +375,9 @@ static bool pci_endpoint_test_read(struc size_t alignment = test->alignment; u32 crc32;
+ if (size > SIZE_MAX - alignment) + goto err; + orig_addr = dma_alloc_coherent(dev, size + alignment, &orig_phys_addr, GFP_KERNEL); if (!orig_addr) {
Patches currently in stable-queue which might be from mathieu.poirier@linaro.org are
queue-4.14/mailbox-reset-txdone_method-txdone_by_poll-if-client-knows_txdone.patch queue-4.14/mtd-spi-nor-cadence-quadspi-add-a-delay-in-write-sequence.patch queue-4.14/misc-pci_endpoint_test-fix-bug_on-error-during-pci_disable_msi.patch queue-4.14/asoc-tlv320dac31xx-mark-expected-switch-fall-through.patch queue-4.14/pci-dra7xx-add-shutdown-handler-to-cleanly-turn-off-clocks.patch queue-4.14/asoc-tlv320aic31xx-handle-inverted-bclk-in-non-dsp-modes.patch queue-4.14/mtd-spi-nor-enable-4b-opcodes-for-mx66l51235l.patch queue-4.14/cpufreq-ti-cpufreq-add-missing-of_node_put.patch queue-4.14/asoc-davinci-kill-bug_on-usage.patch queue-4.14/mfd-palmas-assign-the-right-powerhold-mask-for-tps65917.patch queue-4.14/asoc-davinci-mcasp-fix-an-error-handling-path-in-davinci_mcasp_probe.patch queue-4.14/misc-pci_endpoint_test-prevent-some-integer-overflows.patch queue-4.14/asoc-davinci-mcasp-handle-return-value-of-devm_kasprintf.patch queue-4.14/i2c-omap-trigger-bus-recovery-in-lockup-case.patch queue-4.14/usb-dwc3-allow-disabling-of-metastability-workaround.patch