diff mbox series

[v3] scsi: use unsigned int variables to parse partition table

Message ID 20241115030303.2473414-1-quic_xiaosenh@quicinc.com
State Superseded
Headers show
Series [v3] scsi: use unsigned int variables to parse partition table | expand

Commit Message

Xiaosen He Nov. 15, 2024, 3:03 a.m. UTC
signed integer overflow happened in the following multiplication,
ext_cyl*(end_head+1)*end_sector = 0x41040*(0xff+1)*0x3f = 0xffffc000,
the overflow was caught by UBSAN and caused crash to the system,
use unsigned int instead of signed int to avoid integer overflow.

Signed-off-by: Xiaosen He <quic_xiaosenh@quicinc.com>
Signed-off-by: Jian Zhou <quic_jianzhou@quicinc.com>
---
 drivers/scsi/scsicam.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Aleksei Vetrov Nov. 15, 2024, 2:58 p.m. UTC | #1
On Thu, Nov 14, 2024 at 07:03:03PM -0800, Xiaosen He wrote:
> signed integer overflow happened in the following multiplication,
> ext_cyl*(end_head+1)*end_sector = 0x41040*(0xff+1)*0x3f = 0xffffc000,
> the overflow was caught by UBSAN and caused crash to the system,
> use unsigned int instead of signed int to avoid integer overflow.
> 
> Signed-off-by: Xiaosen He <quic_xiaosenh@quicinc.com>
> Signed-off-by: Jian Zhou <quic_jianzhou@quicinc.com>
Reviewed-by: Aleksei Vetrov <vvvvvv@google.com>
Martin K. Petersen Jan. 10, 2025, 10:38 p.m. UTC | #2
Xiaosen,

> signed integer overflow happened in the following multiplication,
> ext_cyl*(end_head+1)*end_sector = 0x41040*(0xff+1)*0x3f = 0xffffc000,
> the overflow was caught by UBSAN and caused crash to the system,
> use unsigned int instead of signed int to avoid integer overflow.

This patch is against a very old kernel. Please see commit a10183d744fb
("scsi: simplify scsi_partsize") which was merged back in 2020.
diff mbox series

Patch

diff --git a/drivers/scsi/scsicam.c b/drivers/scsi/scsicam.c
index 910f4a7a3924..babf7f0b5178 100644
--- a/drivers/scsi/scsicam.c
+++ b/drivers/scsi/scsicam.c
@@ -126,13 +126,13 @@  int scsi_partsize(unsigned char *buf, unsigned long capacity,
 	       unsigned int *cyls, unsigned int *hds, unsigned int *secs)
 {
 	struct partition *p = (struct partition *)buf, *largest = NULL;
-	int i, largest_cyl;
-	int cyl, ext_cyl, end_head, end_cyl, end_sector;
+	int i;
+	unsigned int cyl, ext_cyl, end_head, end_cyl, end_sector, largest_cyl;
 	unsigned int logical_end, physical_end, ext_physical_end;
 
 
 	if (*(unsigned short *) (buf + 64) == 0xAA55) {
-		for (largest_cyl = -1, i = 0; i < 4; ++i, ++p) {
+		for (i = 0; i < 4; ++i, ++p) {
 			if (!p->sys_ind)
 				continue;
 #ifdef DEBUG
@@ -140,7 +140,7 @@  int scsi_partsize(unsigned char *buf, unsigned long capacity,
 			       i);
 #endif
 			cyl = p->cyl + ((p->sector & 0xc0) << 2);
-			if (cyl > largest_cyl) {
+			if ((largest == NULL) || (cyl > largest_cyl)) {
 				largest_cyl = cyl;
 				largest = p;
 			}