From patchwork Mon Mar 26 21:27:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Martin Kelly <mkelly@xevo.com>
X-Patchwork-Id: 10308785
Return-Path: <linux-iio-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B8A8560212 for <patchwork-linux-iio@patchwork.kernel.org>;
	Mon, 26 Mar 2018 21:29:15 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B1222298BC
	for <patchwork-linux-iio@patchwork.kernel.org>;
	Mon, 26 Mar 2018 21:29:15 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A52D2298BF; Mon, 26 Mar 2018 21:29:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3C270298BC
	for <patchwork-linux-iio@patchwork.kernel.org>;
	Mon, 26 Mar 2018 21:29:15 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751739AbeCZV3O (ORCPT
	<rfc822;patchwork-linux-iio@patchwork.kernel.org>);
	Mon, 26 Mar 2018 17:29:14 -0400
Received: from mail-cys01nam02on0047.outbound.protection.outlook.com
	([104.47.37.47]:54352
	"EHLO NAM02-CY1-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1751614AbeCZV3N (ORCPT <rfc822;linux-iio@vger.kernel.org>);
	Mon, 26 Mar 2018 17:29:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=uievolution.onmicrosoft.com; s=selector1-xevo-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=2RgZdLF19HbDdZtn/gVYlBwiwqhtxsa3fOBv7PaQZI8=;
	b=ABz8nOIlSCbQzFJaOpbbC/hHwH8ABfnpONWfRfGNzZaVyofgL6uVQIPxgb+Oxz/Q3RVo8laEvufWoBjdY5KQPBdY5xewsf6HTs1UpntXIYu5KlaaUG+mbsh5y/4yxXKcnG5tLCHkKUwGyV7MP4YU6pFlZOS4AwcYZYYvDqbLIPg=
Received: from columbia.corp.xevo.com (65.122.179.226) by
	MW2PR0102MB3419.prod.exchangelabs.com (2603:10b6:302:3::12) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10;
	Mon, 26 Mar 2018 21:29:11 +0000
From: Martin Kelly <mkelly@xevo.com>
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <jic23@kernel.org>, Martin Kelly <mkelly@xevo.com>
Subject: [PATCH 2/2] iio:kfifo_buf: check for uint overflow
Date: Mon, 26 Mar 2018 14:27:52 -0700
Message-Id: <20180326212752.7321-2-mkelly@xevo.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180326212752.7321-1-mkelly@xevo.com>
References: <20180326212752.7321-1-mkelly@xevo.com>
MIME-Version: 1.0
X-Originating-IP: [65.122.179.226]
X-ClientProxiedBy: CY4PR21CA0026.namprd21.prod.outlook.com
	(2603:10b6:903:12b::12) To MW2PR0102MB3419.prod.exchangelabs.com
	(2603:10b6:302:3::12)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a3484063-cc25-4be2-baa8-08d593609e1d
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);
	SRVR:MW2PR0102MB3419;
X-Microsoft-Exchange-Diagnostics: 1; MW2PR0102MB3419;
	3:nuPzgOBNdDbjP76SiAkMGfOwX9H+fFSQNDy6atNhSXeau1Jr2QJykEieSGSFGdB1BqZinuz0uNEGtiPmV0RHxg33LyBebxzA7T6fRhbBU0jqJvWI57vtunqEP9tF7161HvxW2LFJmRZnLuDH4NzBYaH4/dU1cEkxho8YE7lf4lGKR1Hv2Uua2pIBsXnNzD0v4pIEuB3KubL3tjEXl8YiZh/QKvhdqQivQAcpR6bDaiRJjwBKyd6Dt1ycweXOU00H;
	25:55/FlaKEqAc0izACOI0xUcR7R/n3iHGZ4WxiNF2AHBv5kv24m5dRPF9G/XW2HBkuNVfvL8qQw6IsLyVySi/F2jq+e9xilsz2Jd/KKutt18gR2+ofR5SOWI9n9NtvBV+EtUuybS6Y1AwWVJgGNpYQj/NbEfhPQAXdL/QsAtX+S+OA6tssNs9uAL/YL670CNB4ZXHPZMJeK/ZnHvuHV/CfPi464kmfOs4rV0w78ZFyPxwlpsXbHbjXLYRzUmxM5uS2QgETHt/23KVltGRFkvCBpo5iJi+9kE+l5fFzC/9T+hx6MH6ghn/jVuF4XBajgCw/SP11+fABaMoMm/6Lse9HsA==;
	31:m+ob6uAP8L4AIMH5GRwuHeFZvBnuSXob8DZ8NtQbDXcX5+Eon+T1ELDmGwKH8Pom85DO/Hbx1jE9fWvHfIFKFAhNv0DEnFsc3HrxVQsYa3k55TMWP9iK2VyPkjKvU3NW+pTFDIsX01gkWpN+6vQPnNZKHBqVl7gUUgWdGKqt7anFp+v5W7n0vY6MuFT1Ty9k+kRvYhaVb8pOcWkLa8ffGi0tNayw9X0JhJK7cxdeZPA=
X-MS-TrafficTypeDiagnostic: MW2PR0102MB3419:
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=mkelly@xevo.com;
X-Microsoft-Exchange-Diagnostics: 1; MW2PR0102MB3419;
	20:45XApqHi2MJVEPIqU0r3kvKKszMoj69wEXQFur1/mHhWlJCgUILbSI8eDbgSsKNEYVAI1b1NMU4UZd6oyt/A6lYnybNQ/AKrpkCR1tnP1LRRScT0WY2NDrpvWKI/Gwi3CtLxxAm7BVKkExZnuPXaoOx3R+OgEBz5vGULTeUaYlNA75n5PRdSzPdFkBN+Lb9ez4ifxfJ03jC8wO0WTVCUN0hMdcTFBmAq+VrkVWb95yJUrME1R7asVCS1BVT765nzewW4X0UMHhumx0h7BNptyAOAwEJIhAt4rFL+ySAwgYK/f2QCu+LIjWk2WIhitr4FdksN6yXBpCFkLVSwKNy8a6jORkaBXDz7mtvZ4BPpcSxs6aOEuH/OafHXfJVTnkNZol4k+0M39dsF8BIlKXDJdGzV/Zba9SlElcTYJE/sLEQdjgqTQameObMKvj7SC22u4vFZZPc4N4Vlzj2IWOwHnuMrmE6zQGKKRGrCtjwa6UKSVdQHTpQHsIXpvmSWP/SF;
	4:JAuM4lL8ev4v2XaZ5QLjxKPRvmvF1D5UDfisZaiCiF/K+C/xXpILW8l4+XggifX46ycxx1vW69QM8ux3eQ2HjCNyjy/7h7OUhbfwtQI/l6D6KiftUCvyfXXKxGjk1LI8yt9j1RPgkMBkTrqWYXPkdKqnwJULkmjmZZGmGNdK04IZqEZNB0rPKljMtagpQ85DRRKl5nkUTqQrdPS5rYo3u5s8W9X4SGSdzM/yoBk4L5MeQDSUIuF3/eu2OSmdGOosD6hK8AONGuPZHYfu5V+AfA==
X-Microsoft-Antispam-PRVS: 
 <MW2PR0102MB3419BA802DD094225D266246ABAD0@MW2PR0102MB3419.prod.exchangelabs.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(10201501046)(3002001)(93006095)(93001095)(6041310)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(6072148)(201708071742011);
	SRVR:MW2PR0102MB3419; BCL:0; PCL:0; RULEID:;
	SRVR:MW2PR0102MB3419;
X-Forefront-PRVS: 06237E4555
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(39840400004)(396003)(39380400002)(366004)(346002)(376002)(189003)(199004)(16526019)(446003)(54906003)(6486002)(186003)(956004)(7696005)(11346002)(2616005)(53936002)(36756003)(476003)(486005)(486005)(5660300001)(305945005)(68736007)(52116002)(76176011)(51416003)(7736002)(8936002)(107886003)(81166006)(81156014)(50226002)(2351001)(2361001)(97736004)(1076002)(478600001)(86362001)(16586007)(8676002)(2906002)(6916009)(316002)(4326008)(105586002)(48376002)(25786009)(66066001)(26005)(50466002)(6666003)(386003)(106356001)(47776003)(6116002)(3846002);
	DIR:OUT; SFP:1101; SCL:1; SRVR:MW2PR0102MB3419;
	H:columbia.corp.xevo.com; FPR:; SPF:None; PTR:InfoNoRecords;
	MX:1; A:1; LANG:en;
Received-SPF: None (protection.outlook.com: xevo.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MW2PR0102MB3419;
	23:tsGDRgxbFK4Ek3JXOLXmBYrfvyy/UpdaI+cDSVb?=
	=?us-ascii?Q?VaGr3XGYyJOK1b7FJb225NI2NkDTSshEdiPRiEmQAjjeZtmvn1oqeTqD0NzK?=
	=?us-ascii?Q?656sujN+U/YQsu/j7DNHPiHzw8Jc3gGQjAuCVIgSS+PrOrz9M8s6MTAeMI+b?=
	=?us-ascii?Q?G5yC98/ctLuPoWNOn1nQGKjSNWl49WTmbOIEsDTDLq1BhvGWWrZ4Z2nOk58G?=
	=?us-ascii?Q?WBYHnaZDrQ4QxRXP0JzCq1nABJamuUIoJrNuA5mct2w+/WyQvBRN2LOxUBVy?=
	=?us-ascii?Q?eiWwHZV5f/joh5AABaEMaNV4zILqL+Xc1cTnMMPFB/DbtgCVdlQwV6ixwAA+?=
	=?us-ascii?Q?UJ5/oWzFNeWcSxi/ebZh4jz2CRS3tEJMLg+2v//uWkK2oH5t+21JdHPXRmvO?=
	=?us-ascii?Q?6AGZSBg5QkhzMKeSRPKr0FAoIBP+ABU+gb+E/qpbQskHepuvh+adTcGey10v?=
	=?us-ascii?Q?LjIUNjoWhJ2vhuSvOJpgcbobiKjL/0M/MI72SD1BxJKHDn8jeaLuRdQE3Tad?=
	=?us-ascii?Q?ZxEsOXNNReYPlOYsz1H9Y4yXOMYjJbWC2QThey67Q2ZuNQkck1zvnhMTdTm7?=
	=?us-ascii?Q?nAG+QIuVCIks85uriiLKs60WZvpWTZ4Jg4K3Ep8qdWUO9x52okzmpoDjWBuz?=
	=?us-ascii?Q?wkU1z3J/gnG5La1aLTKN7Evt0yWyDXO9HugTasLJJKFrWfF8YwEYb1mGgOM5?=
	=?us-ascii?Q?t6GHgKlObDDZpsBfi2PcKCSWkDWO8qgcyVjCd5L+OuOzE86xg/RaTiPxKpZS?=
	=?us-ascii?Q?foiIF/wQsUWhMM3n3OmdpqDkSxp0w+RqDWAerbr/SezNAUUMk/7C4fI0xrdv?=
	=?us-ascii?Q?9keNsn8+TjMMLvj2QGEnbolqBNniBqeXkfk1xCugCbiRp46C8WuMqfiW920L?=
	=?us-ascii?Q?fiJr/B8mUpdvHu8XpAcijDLhrSnM/1KWqn67OIBnGbJScAA4HlHB5ClQVUYp?=
	=?us-ascii?Q?OgZdCjMJin35FezBRyVrPKofZ/gxnfnNae36OVG/tIonc4NsgXprh9m3AZeW?=
	=?us-ascii?Q?bU0sY2LnFMS3idQAOIS+YQMdUKGGL2vnDbjL7i/K+k9eCNwlsMHIJ+unwHa7?=
	=?us-ascii?Q?Idf/tlc829eMMVgJOh4npuWLt0e6fp2FA23aRSWCUGKYGGSVBRw4CrmlrRel?=
	=?us-ascii?Q?9M05fmKvkzfE4PlTx/2JFI99FaM76T7ELSOOeM/qHpZoDfCiq8VyNa+BsP0h?=
	=?us-ascii?Q?tT04oCEf4qKL6ERcO205wos6w+2Om5wFCnhLTyzHOCRvbD67gfkT9ce9zOIV?=
	=?us-ascii?Q?Kv+B3uk0O4Uwtr+Nd/iQA6f2nWEof+9xuV17j6m/X?=
X-Microsoft-Antispam-Message-Info: 
 bZUFW+cio81phen1PtbnxqQcpNgYCiAB0hhME6jabvcPME1EhTlclbV03zOc321q0l/pNdli9bC4vXmTK+D3UfrUnVykr8AJq2k6ego6nwCTmr4dRy69+JNWy7rcEglKz4HpXu3q1T9SjVn/EGdrRfuNwXx794ezBah/YFNlofgGvOJZebFeX4qAu17uR6VR
X-Microsoft-Exchange-Diagnostics: 1; MW2PR0102MB3419;
	6:A23YOptWCbZyeCDTrfFvq70l0Uu5A/fKAajVb5RycklTX5qFtKVCSAQW9OrSjuq8L0YzDjHSaGq9nS6VmP2AeqZj3M0AAw/6Ved//iOquKSznd2Qz+5JyRYApSTOP5geUF24vYnRgnB5my1lY3uXHxhzIMcNBX4ojBctwH2m2Aku89bD/NYJ9m9+gOndZUNo85xGL097mqp4tPRenLF3R2XlIPLoJzacLez8b0SZtngnXcJd2QLW0Egp2izcm4SAn2MecgJCa4dHJFTiOw+o/7O4wOuK4tpEQE8pP/cxKcahS86LNTh7ipl2IMjT+Bis/doAyW+B9aia7WFa8V2BPWQMkBazf99v7e5/66tpo2Gy2tAuT8T8ZSD3V+ekNEtcEMD59pcHhRPoBX3VXuxjExfc0rBVe3u300TqGYvFKRJDbguUeRIdC7NWYN50dUTDyhfOxHOpz5jEb4xFYhUj7A==;
	5:QhiwGOr9LFpM/yRYLRtOnd+99iUd7yopwtbDP5fhIqmImWwBn7x/hA+7Zm8A5BnuSh6AyZRnDiXgQomFVam1n/y3NK2CKCeRa0AjxxjRcqxjXDYXcdDuijiYJtZeInl2cQ6VaHmUM5aXMQuscryKXhuiqE1TIXaORtOG0xgLZSk=;
	24:M3bINzX15n4y1heMX5cu4XyTU6bk0gdXlEhRZEMhBXJrXEMCHiO0v/dEYhlB4+loDjLbsCSgQzeFJsWZQX4shYoSsBdfGvpi8XOL/veeUqM=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; MW2PR0102MB3419;
	7:IXgHsAMZ3964UR5apm2vNGt5I0Y5Nc31OgQH6HGAJL11yDjZOlMsSu5x54INB1A3bH6oyxRsCATL+7OI1/DzG+aeg7Ww06vnlF8iv0erPFUHAlcjv4rcTIEuBV5QvlEvu9TLi0K2Bb4XKHBMioKqCu25UjF2ZcU5CNeElwMu9JzxroPI87F1Mw8dn9Zxd9ZBJbIGHToTSwwJJ+VKx5cq9dx53CEq1M/h6YzdNXExz/YTcpEljIkGuXN4BHjgMbKs
X-OriginatorOrg: xevo.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Mar 2018 21:29:11.9185
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a3484063-cc25-4be2-baa8-08d593609e1d
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: e0a7ca1f-2458-4cd6-a7c7-d733c07495ab
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR0102MB3419
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Currently, the following causes a kernel OOPS in memcpy:

echo 1073741825 > buffer/length
echo 1 > buffer/enable

Note that using 1073741824 instead of 1073741825 causes "write error:
Cannot allocate memory" but no OOPS.

This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo
rounds up to the nearest power of 2, it will actually call kmalloc with
roundup_pow_of_two(length) * bytes_per_datum.

Using length == 1073741825 and bytes_per_datum == 2, we get:

kmalloc(roundup_pow_of_two(1073741825) * 2
or kmalloc(2147483648 * 2)
or kmalloc(4294967296)
or kmalloc(UINT_MAX + 1)

so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and
subsequent memcpy to fail once the device is enabled.

Fix this by checking for overflow prior to allocating a kfifo. With this
check added, the above code returns -EINVAL when enabling the buffer,
rather than causing an OOPS.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
---
 drivers/iio/buffer/kfifo_buf.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c
index ac622edf2486..70c302a93d7f 100644
--- a/drivers/iio/buffer/kfifo_buf.c
+++ b/drivers/iio/buffer/kfifo_buf.c
@@ -27,6 +27,13 @@ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
 	if ((length == 0) || (bytes_per_datum == 0))
 		return -EINVAL;
 
+	/*
+	 * Make sure we don't overflow an unsigned int after kfifo rounds up to
+	 * the next power of 2.
+	 */
+	if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum)
+		return -EINVAL;
+
 	return __kfifo_alloc((struct __kfifo *)&buf->kf, length,
 			     bytes_per_datum, GFP_KERNEL);
 }