Message ID | 20241115030303.2473414-1-quic_xiaosenh@quicinc.com |
---|---|
State | Superseded |
Headers | show |
Series | [v3] scsi: use unsigned int variables to parse partition table | expand |
On Thu, Nov 14, 2024 at 07:03:03PM -0800, Xiaosen He wrote: > signed integer overflow happened in the following multiplication, > ext_cyl*(end_head+1)*end_sector = 0x41040*(0xff+1)*0x3f = 0xffffc000, > the overflow was caught by UBSAN and caused crash to the system, > use unsigned int instead of signed int to avoid integer overflow. > > Signed-off-by: Xiaosen He <quic_xiaosenh@quicinc.com> > Signed-off-by: Jian Zhou <quic_jianzhou@quicinc.com> Reviewed-by: Aleksei Vetrov <vvvvvv@google.com>
Xiaosen, > signed integer overflow happened in the following multiplication, > ext_cyl*(end_head+1)*end_sector = 0x41040*(0xff+1)*0x3f = 0xffffc000, > the overflow was caught by UBSAN and caused crash to the system, > use unsigned int instead of signed int to avoid integer overflow. This patch is against a very old kernel. Please see commit a10183d744fb ("scsi: simplify scsi_partsize") which was merged back in 2020.
diff --git a/drivers/scsi/scsicam.c b/drivers/scsi/scsicam.c index 910f4a7a3924..babf7f0b5178 100644 --- a/drivers/scsi/scsicam.c +++ b/drivers/scsi/scsicam.c @@ -126,13 +126,13 @@ int scsi_partsize(unsigned char *buf, unsigned long capacity, unsigned int *cyls, unsigned int *hds, unsigned int *secs) { struct partition *p = (struct partition *)buf, *largest = NULL; - int i, largest_cyl; - int cyl, ext_cyl, end_head, end_cyl, end_sector; + int i; + unsigned int cyl, ext_cyl, end_head, end_cyl, end_sector, largest_cyl; unsigned int logical_end, physical_end, ext_physical_end; if (*(unsigned short *) (buf + 64) == 0xAA55) { - for (largest_cyl = -1, i = 0; i < 4; ++i, ++p) { + for (i = 0; i < 4; ++i, ++p) { if (!p->sys_ind) continue; #ifdef DEBUG @@ -140,7 +140,7 @@ int scsi_partsize(unsigned char *buf, unsigned long capacity, i); #endif cyl = p->cyl + ((p->sector & 0xc0) << 2); - if (cyl > largest_cyl) { + if ((largest == NULL) || (cyl > largest_cyl)) { largest_cyl = cyl; largest = p; }