On Tue, Nov 25, 2025 at 10:38:29AM -0600, Ira Weiny wrote: > Dan Carpenter wrote: > > The "cmd->in_offset" variable comes from the user via the __nd_ioctl() > > function. The problem is that the "cmd->in_offset + cmd->in_length" > > addition could have an integer wrapping issue if cmd->in_offset is close > > to UINT_MAX . The "cmd->in_length" variable has been capped, but the > > "cmd->in_offset" variable has not. Both of these variables are type u32. > > Does ramdax_set_config_data() also need this?
Yes. It does. These are from Smatch warnings, right. They take a few rebuilds for the taint information to propagate from the ioctl to the ramdax_get_config_data() function. When I rebuilt it, then it propagates to both so I would have seen the ramdax_set_config_data() tomorrow. But they're called from the same function so the taint data should have propagated to both at the same time... WTF? I don't know what happened. Anyway, I will fix that and resend. Thanks for noticing. > I'm not quite following where in_length is capped so I'm inclined to > add size_add in both set and get. I meant that the if (struct_size(cmd, in_buf, cmd->in_length) > buf_len) line checks that cmd->in_length is okay. regards, dan carpenter
