From patchwork Thu Aug 24 22:58:33 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 110964
Delivered-To: patch@linaro.org
Received: by 10.140.95.78 with SMTP id h72csp121257qge;
 Thu, 24 Aug 2017 15:59:46 -0700 (PDT)
X-Received: by 10.98.86.2 with SMTP id k2mr7911471pfb.143.1503615586276;
 Thu, 24 Aug 2017 15:59:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1503615586; cv=none;
 d=google.com; s=arc-20160816;
 b=POcDzJoqJtgFZ8/ETZgNRSC+2z3E2MYM3aAstao6Ecr2ah0TM3NlOKLQOcTV0puWio
 /ht+Dw+dshw2LQNz9zUe9l7Sk8iGoA2pQHkm0YV/nCZqkzchXbyuJmSL5iuUacZXiQMo
 plBRs95OxWZjGLP9o3MLEroeOXPYRG08DtTQQ37HvrKpJXt48L9tK45uaQQSRpPsWM2x
 7IuwUgtAFMiiZcKCLi0peGYQ13VJncpi7+vXJllQ4XKPxfY8r2HIauRRoRWHgWQ46HfB
 STFTlrNaxioOWLDA8kgAJJktfCXyFTQMHF8Ye1LtgYorVqFF53rj+L1f3njhvKcvl1Oq
 tFDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:message-id:date:subject:cc:to:from
 :arc-authentication-results;
 bh=lDUpO3e1CqyKjE0+2sXEokaq5ME+bBTGE90z1V4VpIg=;
 b=HKABdfJ5PnyVbYX1iOs1sDCrSSaW+uKNQj+rxQsfFI8BuFpmcZpYZmP1FS4iBNxnGU
 kq5V4NkTjlQVc8qoPVU7Qt2TyPqmFBYH3U6YL2NCgT0VIcIlBWCDP3MgoqOCtQdY+j6f
 +i9u3pnOPFadMJmVI7DWKbNCw8Umcy+F4pDxOpjVI0YyXLE6RgcAR4tIm2YnIRUnMJ0y
 N0zfPyjDgIaaKS0Xh+Pd4wXby6OFhYD2ZhfM4+ZZBqk/Utbx/5nTayyTknltf/t2t0mk
 uqTSDggde/Dz282TxcAn0y8ni01LQuGu1adhO4HeoUK13tESzjwv2DHnymtWMXZxAYI2
 oHsw==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 i87si3531982pfd.457.2017.08.24.15.59.45; 
 Thu, 24 Aug 2017 15:59:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1754081AbdHXW7n (ORCPT <rfc822;daniel.diaz@linaro.org>
 + 26 others); Thu, 24 Aug 2017 18:59:43 -0400
Received: from mout.kundenserver.de ([217.72.192.73]:56242 "EHLO
 mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1753990AbdHXW7l (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Thu, 24 Aug 2017 18:59:41 -0400
Received: from wuerfel.lan ([95.208.190.237]) by mrelayeu.kundenserver.de
 (mreue102 [212.227.15.145]) with ESMTPA (Nemesis) id
 0Mb8iR-1dzVoT19wZ-00KdAM; Fri, 25 Aug 2017 00:59:34 +0200
From: Arnd Bergmann <arnd@arndb.de>
To: Karsten Keil <isdn@linux-pingi.de>, "David S. Miller" <davem@davemloft.net>
Cc: Arnd Bergmann <arnd@arndb.de>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org
Subject: [PATCH] isdn: hisax: fix buffer overflow check
Date: Fri, 25 Aug 2017 00:58:33 +0200
Message-Id: <20170824225931.1602326-1-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
X-Provags-ID: V03:K0:LTt7DjOfmNGakEKkNrd/8bwZkGDWtEZ2HFsToEvCrMhKT/UUJ9k
 njXodIMYex4WYHlRrCLGFuCERIeyvhlbiIF9XBpWb9w8krNIWhOLu7V6ZkhH7yWfKtg5Cdb
 Tpylqt2as2HdgJOEZL1qUgnI8wW4vQCvIq2DaeKCI/IvKNZrJcFaDZxJk/nYYopuzkQ1n5F
 LdWiPbfG5TLR4sj3FaRew==
X-UI-Out-Filterresults: notjunk:1; V01:K0:4/6IHZWzF1A=:st18pAKNQrUSMoJ9RzUksj
 nG0CdFG9uOx51h7i1bRZqE+1a+f/X+Jl7g02KDbBht1kI8/NpMf6Dy4EzAiLUXGsNh6FS6M7P
 60IIhR9Gy1HGswKuoNQh+/vs1uuEusMRPRFtMZpuCyPnGZhMKQ48VSSPy8BCgLm6EGz5HEpxA
 Lv46XUB/D2HE3Jdxj8YvqTwc+uBELhtxZtCKi8mvytvWt7Ax39nLJ6MEMk71Rq95hwmYw6rcS
 75SvRbvZcBhbKgb+EcdifSJ/ugrRjyvfQBwoPvuwBYESY/IlSCzYXuF6nst0HrG8lURyDr6Dm
 uk3Bt9BL4IS6Iz8gTM82npJrpI4u+CYMV89XCT3YCDo5txqge5bv4J6sFs84W//9FSKhGAp2f
 F0tmW/qmQznaFbQXlr2of6eNZUSdjI/ZRTU0qmuXUoAyLTCh+Y5h+2lYiR08n915uWPkQUSfM
 l/ytfNyqAkVgQQ20nEpT/LQh9l9F0wcIL3ldsMItQWt4L4dIwYtLe62tfGpMfsY+jnG9zwHzy
 v00cc6BklRKnh4ajqn+sLVg3+ToDZviKIC88OyVeNhUaOf35ZBQ7vyJpRkIC+Bubte9vlQB0u
 7utPU9WnKWm4wCPeOiwC7QQxuZ57Hktk3p8KMWJXtGkLYvp4Dj3DdxFgO8PASoNj6Y+94CmgJ
 ieJsGJN/kK7zeYg8FCNDdqDXMobFNlCFjJbGvrnudBLz1U9Fmam6LPFJsjcXjZN77+4lnJwte
 BvTxNCPxbjcY0SkyPULC7FZGSGrsaAMcFpP82Q==
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

gcc-8 warns about a corner case that can overflow a memcpy buffer when a
length variable is negative. While the code checks for an overly large
value, it does not check for a negative length that would get turned
into a large positive number:

In function 'memcpy',
    inlined from 'skb_put_data' at include/linux/skbuff.h:2042:2,
    inlined from 'l3dss1_cmd_global' at drivers/isdn/hisax/l3dss1.c:2219:4:
include/linux/string.h:348:9: error: '__builtin_memcpy' reading 266 or more bytes from a region of size 265 [-Werror=stringop-overflow=]

In function 'memcpy',
    inlined from 'skb_put_data' at include/linux/skbuff.h:2042:2,
    inlined from 'l3ni1_cmd_global' at drivers/isdn/hisax/l3ni1.c:2079:4:
include/linux/string.h:348:9: error: '__builtin_memcpy' reading between 266 and 4294967295 bytes from a region of size 265 [-Werror=stringop-overflow=]

It's not clear to me whether the warning should be here, or if this
is another case of an optimization step in gcc causing a warning about
something that would otherwise be silently ignored. Either way, making
the length 'unsigned int' instead ensures that no overflow can happen
here, and avoids the warning. The same code exists in two files, so I'm
patching both the same way.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/isdn/hisax/l3dss1.c | 3 ++-
 drivers/isdn/hisax/l3ni1.c  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

-- 
2.9.0

diff --git a/drivers/isdn/hisax/l3dss1.c b/drivers/isdn/hisax/l3dss1.c
index 18a3484b1f7e..85cef7a2e709 100644
--- a/drivers/isdn/hisax/l3dss1.c
+++ b/drivers/isdn/hisax/l3dss1.c
@@ -2168,7 +2168,8 @@ static int l3dss1_cmd_global(struct PStack *st, isdn_ctrl *ic)
 { u_char id;
 	u_char temp[265];
 	u_char *p = temp;
-	int i, l, proc_len;
+	int i;
+	unsigned int l, proc_len;
 	struct sk_buff *skb;
 	struct l3_process *pc = NULL;
 
diff --git a/drivers/isdn/hisax/l3ni1.c b/drivers/isdn/hisax/l3ni1.c
index ea311e7df48e..99e0ba5d49a1 100644
--- a/drivers/isdn/hisax/l3ni1.c
+++ b/drivers/isdn/hisax/l3ni1.c
@@ -2024,7 +2024,8 @@ static int l3ni1_cmd_global(struct PStack *st, isdn_ctrl *ic)
 { u_char id;
 	u_char temp[265];
 	u_char *p = temp;
-	int i, l, proc_len;
+	int i;
+	unsigned int l, proc_len;
 	struct sk_buff *skb;
 	struct l3_process *pc = NULL;