Hi Dan,
> -----Original Message----- > From: Dan Carpenter [mailto:dan.carpen...@oracle.com] > Sent: Wednesday 21 August 2019 08:11 > To: Derek Kiernan <dkier...@xilinx.com>; Dragan Cvetic <drag...@xilinx.com> > Cc: Arnd Bergmann <a...@arndb.de>; Greg Kroah-Hartman > <gre...@linuxfoundation.org>; Michal Simek <mich...@xilinx.com>; > linux-arm-ker...@lists.infradead.org; linux-kernel@vger.kernel.org; > kernel-janit...@vger.kernel.org > Subject: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in > xsdfec_table_write() > > The checking here needs to handle integer overflows because "offset" and > "len" come from the user. Good catch, thanks. > > Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC") > Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> > --- > drivers/misc/xilinx_sdfec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c > index 3fc53d20abf3..0bf3bcc8e1ef 100644 > --- a/drivers/misc/xilinx_sdfec.c > +++ b/drivers/misc/xilinx_sdfec.c > @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, > u32 offset, > * Writes that go beyond the length of > * Shared Scale(SC) table should fail > */ > - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) { > + if (offset > depth / XSDFEC_REG_WIDTH_JUMP || > + len > depth / XSDFEC_REG_WIDTH_JUMP || > + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) { > dev_dbg(xsdfec->dev, "Write exceeds SC table length"); > return -EINVAL; > } > -- > 2.20.1 Reviewed-by: Dragan Cvetic <dragan.cve...@xilinx.com> Thanks Dragan
