diff mbox series

dm: Cast an operand to sector_t to prevent potential uint32_t overflow in unstripe_ctr()

Message ID 20241021195444.13237-1-zichenxie0106@gmail.com (mailing list archive)
State Accepted, archived
Delegated to: Mikulas Patocka
Headers show
Series dm: Cast an operand to sector_t to prevent potential uint32_t overflow in unstripe_ctr() | expand

Commit Message

Gax-c Oct. 21, 2024, 7:54 p.m. UTC 
From: Zichen Xie <zichenxie0106@gmail.com>

This was found by a static analyzer.
There may be a potential integer overflow issue in
unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are
defined as "sector_t"(uint64_t), while uc->unstripe,
uc->chunk_size and uc->stripes are all defined as "uint32_t".
The result of the calculation will be limited to "uint32_t"
without correct casting.
So, we recommend adding an extra cast to prevent potential
integer overflow.

Fixes: 18a5bf270532 ("dm: add unstriped target")
Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
---
 drivers/md/dm-unstripe.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Mikulas Patocka Oct. 29, 2024, 10:53 a.m. UTC | #1 
Accepted, Thanks.

Mikulas



On Mon, 21 Oct 2024, Gax-c wrote:

> From: Zichen Xie <zichenxie0106@gmail.com>
> 
> This was found by a static analyzer.
> There may be a potential integer overflow issue in
> unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are
> defined as "sector_t"(uint64_t), while uc->unstripe,
> uc->chunk_size and uc->stripes are all defined as "uint32_t".
> The result of the calculation will be limited to "uint32_t"
> without correct casting.
> So, we recommend adding an extra cast to prevent potential
> integer overflow.
> 
> Fixes: 18a5bf270532 ("dm: add unstriped target")
> Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
> ---
>  drivers/md/dm-unstripe.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/md/dm-unstripe.c b/drivers/md/dm-unstripe.c
> index 48587c16c445..e8a9432057dc 100644
> --- a/drivers/md/dm-unstripe.c
> +++ b/drivers/md/dm-unstripe.c
> @@ -85,8 +85,8 @@ static int unstripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
>  	}
>  	uc->physical_start = start;
>  
> -	uc->unstripe_offset = uc->unstripe * uc->chunk_size;
> -	uc->unstripe_width = (uc->stripes - 1) * uc->chunk_size;
> +	uc->unstripe_offset = (sector_t)uc->unstripe * uc->chunk_size;
> +	uc->unstripe_width = (sector_t)(uc->stripes - 1) * uc->chunk_size;
>  	uc->chunk_shift = is_power_of_2(uc->chunk_size) ? fls(uc->chunk_size) - 1 : 0;
>  
>  	tmp_len = ti->len;
> -- 
> 2.34.1
>
diff mbox series

Patch

diff --git a/drivers/md/dm-unstripe.c b/drivers/md/dm-unstripe.c
index 48587c16c445..e8a9432057dc 100644
--- a/drivers/md/dm-unstripe.c
+++ b/drivers/md/dm-unstripe.c
@@ -85,8 +85,8 @@  static int unstripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
 	}
 	uc->physical_start = start;
 
-	uc->unstripe_offset = uc->unstripe * uc->chunk_size;
-	uc->unstripe_width = (uc->stripes - 1) * uc->chunk_size;
+	uc->unstripe_offset = (sector_t)uc->unstripe * uc->chunk_size;
+	uc->unstripe_width = (sector_t)(uc->stripes - 1) * uc->chunk_size;
 	uc->chunk_shift = is_power_of_2(uc->chunk_size) ? fls(uc->chunk_size) - 1 : 0;
 
 	tmp_len = ti->len;