On 28.01.2025 01:39, Andrii Nakryiko wrote:
On Fri, Jan 24, 2025 at 1:41 PM Josh Poimboeuf <jpoim...@kernel.org> wrote:
On Fri, Jan 24, 2025 at 10:02:46AM -0800, Andrii Nakryiko wrote:
On Tue, Jan 21, 2025 at 6:32 PM Josh Poimboeuf <jpoim...@kernel.org> wrote:
+ UNSAFE_GET_USER_INC(info, cur, 1, Efault);
+ offset_count = SFRAME_FRE_OFFSET_COUNT(info);
+ offset_size = offset_size_enum_to_size(SFRAME_FRE_OFFSET_SIZE(info));
+ if (!offset_count || !offset_size)
+ return -EFAULT;
+
+ if (cur + (offset_count * offset_size) > sec->fres_end)
offset_count * offset_size done in u8 can overflow, no? maybe upcast
to unsigned long or use check_add_overflow?
The maximum offset_count * offset_size is 15 * 4 = 60 if I am not wrong:
offset_size is <= 2 as returned by offset_size_enum_to_size().
SFrame V2 FRE offset sizes are either 1, 2, or 4 bytes. This is also
reflected in offset_size_enum_to_size().
offset_count is expected to be <= 3, enforced by the !offset_count check
at the bottom.
SFrame V2 FRE offset count is 4 bits unsigned, so 0 <= offset_count <= 15.
An overflow here would be harmless as it would be caught by the
!offset_count anyway. Though I also notice offset_count isn't big
enough to hold the 2-byte SFRAME_FRE_OFFSET_COUNT() value. Which is
harmless for the same reason, but yeah I'll make offset_count an
unsigned int.
As mentioned above the FRE offset count is 4 bits, not 2 bytes. This is
also reflected in SFRAME_FRE_OFFSET_COUNT().
Regards,
Jens
--
Jens Remus
Linux on Z Development (D3303)
+49-7031-16-1128 Office
jre...@de.ibm.com
IBM
IBM Deutschland Research & Development GmbH; Vorsitzender des Aufsichtsrats:
Wolfgang Wendt; Geschäftsführung: David Faller; Sitz der Gesellschaft: Böblingen;
Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM Data Privacy Statement: https://www.ibm.com/privacy/
