i2o_config.c:255 i2o_cfg_swdl() warn: check for integer overflow 'swlen'

Dan Carpenter Sun, 15 Feb 2015 23:18:31 -0800

This code is scary from a security perspective.  It's old code, we just
moved it to staging so we could delete it in a later kernel release.  So
I'm not going to bother with this warning.


regards,
dan carpenter

On Mon, Feb 16, 2015 at 06:04:22AM +0800, kbuild test robot wrote:
> TO: Alan Cox <a...@linux.intel.com>
> CC: "Greg Kroah-Hartman" <gre...@linuxfoundation.org>
> 
> tree:   git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 
> master
> head:   b8acf73194186a5cba86812eb4ba17b897f0e13e
> commit: 2cbf7fe2d5d32a4747c1f8ad163e886dccad930c [7695/9788] i2o: move to 
> staging
> :::::: branch date: 3 days ago
> :::::: commit date: 12 days ago
> 
> drivers/staging/i2o/i2o_config.c:255 i2o_cfg_swdl() warn: check for integer 
> overflow 'swlen'
> drivers/staging/i2o/i2o_config.c:334 i2o_cfg_swul() warn: check for integer 
> overflow 'swlen'
> drivers/staging/i2o/i2o_config.c:508 i2o_cfg_evt_get() error: we previously 
> assumed 'p' could be null (see line 504)
> drivers/staging/i2o/i2o_config.c:807 i2o_cfg_passthru() warn: check for 
> integer over/underflow 'user_msg'
> 
> git remote add next 
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> git remote update next
> git checkout 2cbf7fe2d5d32a4747c1f8ad163e886dccad930c
> vim +/swlen +255 drivers/staging/i2o/i2o_config.c
> 
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  249      
>         return -EFAULT;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  250  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  251      
> if (get_user(curfrag, kxfer.curfrag) < 0)
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  252      
>         return -EFAULT;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  253  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  254      
> if (curfrag == maxfrag)
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 @255      
>         fragsize = swlen - (maxfrag - 1) * 8192;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  256  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  257      
> if (!kxfer.buf || !access_ok(VERIFY_READ, kxfer.buf, fragsize))
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  258      
>         return -EFAULT;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  259  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  260      
> c = i2o_find_iop(kxfer.iop);
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  261      
> if (!c)
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  262      
>         return -ENXIO;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  263  
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  264      
> msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  265      
> if (IS_ERR(msg))
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  266      
>         return PTR_ERR(msg);
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  267  
> 9d793b0b drivers/message/i2o/i2o_config.c Alan Cox       2008-10-15  268      
> if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize)) {
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  269      
>         i2o_msg_nop(c, msg);
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  270      
>         return -ENOMEM;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  271      
> }
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  272  
> 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap   2006-12-06  273      
> if (__copy_from_user(buffer.virt, kxfer.buf, fragsize)) {
> 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap   2006-12-06  274      
>         i2o_msg_nop(c, msg);
> 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap   2006-12-06  275      
>         i2o_dma_free(&c->pdev->dev, &buffer);
> 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap   2006-12-06  276      
>         return -EFAULT;
> 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap   2006-12-06  277      
> }
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  278  
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  279      
> msg->u.head[0] = cpu_to_le32(NINE_WORD_MSG_SIZE | SGL_OFFSET_7);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  280      
> msg->u.head[1] =
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  281      
>     cpu_to_le32(I2O_CMD_SW_DOWNLOAD << 24 | HOST_TID << 12 |
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  282      
>                 ADAPTER_TID);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  283      
> msg->u.head[2] = cpu_to_le32(i2o_config_driver.context);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  284      
> msg->u.head[3] = cpu_to_le32(0);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  285      
> msg->body[0] =
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  286      
>     cpu_to_le32((((u32) kxfer.flags) << 24) | (((u32) kxfer.
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  287      
>                                                 sw_type) << 16) |
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  288      
>                 (((u32) maxfrag) << 8) | (((u32) curfrag)));
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  289      
> msg->body[1] = cpu_to_le32(swlen);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  290      
> msg->body[2] = cpu_to_le32(kxfer.sw_id);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  291      
> msg->body[3] = cpu_to_le32(0xD0000000 | fragsize);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  292      
> msg->body[4] = cpu_to_le32(buffer.phys);
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  293  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  294      
> osm_debug("swdl frag %d/%d (size %d)\n", curfrag, maxfrag, fragsize);
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  295      
> status = i2o_msg_post_wait_mem(c, msg, 60, &buffer);
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  296  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  297      
> if (status != -ETIMEDOUT)
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  298      
>         i2o_dma_free(&c->pdev->dev, &buffer);
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  299  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  300      
> if (status != I2O_POST_WAIT_OK) {
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  301      
>         // it fails if you try and send frags out of order
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  302      
>         // and for some yet unknown reasons too
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  303      
>         osm_info("swdl failed, DetailedStatus = %d\n", status);
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  304      
>         return status;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  305      
> }
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  306  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  307      
> return 0;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  308  };
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  309  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  310  
> static int i2o_cfg_swul(unsigned long arg)
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  311  {
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  312      
> struct i2o_sw_xfer kxfer;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  313      
> struct i2o_sw_xfer __user *pxfer = (struct i2o_sw_xfer __user *)arg;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  314      
> unsigned char maxfrag = 0, curfrag = 1;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  315      
> struct i2o_dma buffer;
> a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel   2006-01-06  316      
> struct i2o_message *msg;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  317      
> unsigned int status = 0, swlen = 0, fragsize = 8192;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  318      
> struct i2o_controller *c;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  319      
> int ret = 0;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  320  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  321      
> if (copy_from_user(&kxfer, pxfer, sizeof(struct i2o_sw_xfer)))
> b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter  2010-04-23  322      
>         return -EFAULT;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  323  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  324      
> if (get_user(swlen, kxfer.swlen) < 0)
> b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter  2010-04-23  325      
>         return -EFAULT;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  326  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  327      
> if (get_user(maxfrag, kxfer.maxfrag) < 0)
> b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter  2010-04-23  328      
>         return -EFAULT;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  329  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  330      
> if (get_user(curfrag, kxfer.curfrag) < 0)
> b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter  2010-04-23  331      
>         return -EFAULT;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  332  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  333      
> if (curfrag == maxfrag)
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 @334      
>         fragsize = swlen - (maxfrag - 1) * 8192;
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  335  
> ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16  336      
> if (!kxfer.buf)
> b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter  2010-04-23  337      
>         return -EFAULT;
> 
> :::::: The code at line 255 was first introduced by commit
> :::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2
> 
> :::::: TO: Linus Torvalds <torva...@ppc970.osdl.org>
> :::::: CC: Linus Torvalds <torva...@ppc970.osdl.org>
> 
> ---
> 0-DAY kernel test infrastructure                Open Source Technology Center
> http://lists.01.org/mailman/listinfo/kbuild                 Intel Corporation
_______________________________________________
kbuild mailing list
kbuild@lists.01.org
https://lists.01.org/mailman/listinfo/kbuild

Re: [kbuild] [next:master 7695/9788] drivers/staging/i2o/i2o_config.c:255 i2o_cfg_swdl() warn: check for integer overflow 'swlen'

Reply via email to