| Message ID | 20230203201821.483477-1-k.yankevich@omp.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp1045511wrn;
Fri, 3 Feb 2023 12:33:16 -0800 (PST)
X-Google-Smtp-Source:
AK7set+w2Zo/FcLTISwnHenPFnHhyW5/VfYq52B+RS4+ITv/PmAOI6vuRPNy+s6dRfiX/W+EUdgq
X-Received: by 2002:a50:ce47:0:b0:4a2:45e3:ede3 with SMTP id
k7-20020a50ce47000000b004a245e3ede3mr11380598edj.14.1675456396068;
Fri, 03 Feb 2023 12:33:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1675456396; cv=none;
d=google.com; s=arc-20160816;
b=ZY3cAiP5CrfWFE+Dp9oaRwTUnZzmDDprdDv+9qH7HmedOOYUNu0Gs7qkxSc9Er0QxP
ZDsxH4BnZU41gC++C7mKXsM+KgDGkKQGUokjuTRypLuk28LAFNN7YBbb6JQOhnbhdwKC
aK+jSE3y45CJIucV/BW/zIq2poFKPzoC56Upg1zh820qI1/Xpf+lgJB8TDdTJ+oUT+rh
qB/Gu+AWym2bc7SsfeECTPoPImA8ZroOa0APrImMmPEOrjYR2Fej1C69ctrY3BeEYLF1
lTkpiAuJPRYIDZUHvCVrw8OEWJ2rFxFs6STPpZ+C9CjewODqPqXQiTyRvflnIQF4jl+G
6WaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=Mk29tEkqcVGz9+u+Je0PVYhStkNXkrdtT3Ov5XJv/vY=;
b=NHVU5j4Koel44lMIfa+OVshtZuPR/ubi0h1LzOnZleA76ufjFQOY1hBccBvb9Kk1O0
duS1sja0twJisS+6BprsAUJsPB1ALasD0Qoc09cZPP2td5cylKmvf3IJ0EmVV9Mc0xrR
aWuHB6u3NeKkY4CkdJMHe9lfK7Mt/VA0R5dKW+59ELeZJRYUx5fFViShwVJCvULAjBLw
XAyPPf0rL41b4QDu79AmDoZXire2QXp2wreN2Xe+TfucPLbMCMcUQwuPSk465TnsJD8m
pOFGlT3Ks5Q7TP5h29IKvK/AOfQXJh8P5Y5WRepqfY3+TRuXLy1PDSGuVUpqfflEVfTO
uugQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ed13-20020a056402294d00b004a21a662064si3723556edb.352.2023.02.03.12.32.51;
Fri, 03 Feb 2023 12:33:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229610AbjBCUTu (ORCPT <rfc822;il.mystafa@gmail.com> + 99 others);
Fri, 3 Feb 2023 15:19:50 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58590 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S233333AbjBCUTp (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 3 Feb 2023 15:19:45 -0500
Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8AEC4A9111;
Fri, 3 Feb 2023 12:19:44 -0800 (PST)
Received: from uxi.kar (171.25.167.209) by msexch01.omp.ru (10.188.4.12) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.14; Fri, 3 Feb 2023
23:19:35 +0300
From: Karina Yankevich <k.yankevich@omp.ru>
To: Alan Stern <stern@rowland.harvard.edu>
CC: Karina Yankevich <k.yankevich@omp.ru>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
<linux-usb@vger.kernel.org>,
<usb-storage@lists.one-eyed-alien.net>,
<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: [PATCH] usb: storage: sddr55: avoid integer overflow
Date: Fri, 3 Feb 2023 23:18:21 +0300
Message-ID: <20230203201821.483477-1-k.yankevich@omp.ru>
X-Mailer: git-send-email 2.39.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [171.25.167.209]
X-ClientProxiedBy: msexch01.omp.ru (10.188.4.12) To msexch01.omp.ru
(10.188.4.12)
X-KSE-ServerInfo: msexch01.omp.ru, 9
X-KSE-AntiSpam-Interceptor-Info: scan successful
X-KSE-AntiSpam-Version: 5.9.59, Database issued on: 02/03/2023 19:59:06
X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED
X-KSE-AntiSpam-Method: none
X-KSE-AntiSpam-Rate: 59
X-KSE-AntiSpam-Info: Lua profiles 175255 [Feb 03 2023]
X-KSE-AntiSpam-Info: Version: 5.9.59.0
X-KSE-AntiSpam-Info: Envelope from: k.yankevich@omp.ru
X-KSE-AntiSpam-Info: LuaCore: 502 502 69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6
X-KSE-AntiSpam-Info: {rep_avail}
X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to}
X-KSE-AntiSpam-Info: {relay has no DNS name}
X-KSE-AntiSpam-Info: {SMTP from is not routable}
X-KSE-AntiSpam-Info:
127.0.0.199:7.1.2;omp.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1
X-KSE-AntiSpam-Info: ApMailHostAddress: 171.25.167.209
X-KSE-AntiSpam-Info: {DNS response errors}
X-KSE-AntiSpam-Info: Rate: 59
X-KSE-AntiSpam-Info: Status: not_detected
X-KSE-AntiSpam-Info: Method: none
X-KSE-AntiSpam-Info: Auth:dmarc=temperror header.from=omp.ru;spf=temperror
smtp.mailfrom=omp.ru;dkim=none
X-KSE-Antiphishing-Info: Clean
X-KSE-Antiphishing-ScanningType: Heuristic
X-KSE-Antiphishing-Method: None
X-KSE-Antiphishing-Bases: 02/03/2023 20:01:00
X-KSE-AttachmentFiltering-Interceptor-Info: protection disabled
X-KSE-Antivirus-Interceptor-Info: scan successful
X-KSE-Antivirus-Info: Clean, bases: 2/3/2023 3:58:00 PM
X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756843365957663124?=
X-GMAIL-MSGID: =?utf-8?q?1756843365957663124?=
|
| Series |
usb: storage: sddr55: avoid integer overflow
|
|
Commit Message
Karina Yankevich
Feb. 3, 2023, 8:18 p.m. UTC
We're possibly losing information by shifting an int.
Fix it by adding the necessary cast.
Found by OMP on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
---
drivers/usb/storage/sddr55.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Fri, Feb 03, 2023 at 11:18:21PM +0300, Karina Yankevich wrote: > We're possibly losing information by shifting an int. > Fix it by adding the necessary cast. Nonsense. The card's _total_ capacity is no larger than 128 MB, so a page address can't possibly overflow an int. Alan Stern > Found by OMP on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Karina Yankevich <k.yankevich@omp.ru> > --- > drivers/usb/storage/sddr55.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/storage/sddr55.c b/drivers/usb/storage/sddr55.c > index 15dc25801cdc..4aeff73de147 100644 > --- a/drivers/usb/storage/sddr55.c > +++ b/drivers/usb/storage/sddr55.c > @@ -236,7 +236,7 @@ static int sddr55_read_data(struct us_data *us, > memset (buffer, 0, len); > } else { > > - address = (pba << info->blockshift) + page; > + address = ((unsigned long)pba << info->blockshift) + page; > > command[0] = 0; > command[1] = LSB_of(address>>16); > @@ -411,7 +411,7 @@ static int sddr55_write_data(struct us_data *us, > command[4] = 0x40; > } > > - address = (pba << info->blockshift) + page; > + address = ((unsigned long)pba << info->blockshift) + page; > > command[1] = LSB_of(address>>16); > command[2] = LSB_of(address>>8); > -- > 2.39.1 >
Hello! On 2/3/23 11:48 PM, Alan Stern wrote: [...] >> We're possibly losing information by shifting an int. >> Fix it by adding the necessary cast. > > Nonsense. The card's _total_ capacity is no larger than 128 MB, so a > page address can't possibly overflow an int. Then the 'address' variables shouldn't be declared *unsigned long*, right? That should fix the SVACE's report as well. Would you accept such a patch? > Alan Stern [...] MBR, Sergey
On Mon, Feb 06, 2023 at 11:04:54PM +0300, Sergei Shtylyov wrote: > Hello! > > On 2/3/23 11:48 PM, Alan Stern wrote: > [...] > >> We're possibly losing information by shifting an int. > >> Fix it by adding the necessary cast. > > > > Nonsense. The card's _total_ capacity is no larger than 128 MB, so a > > page address can't possibly overflow an int. > > Then the 'address' variables shouldn't be declared *unsigned long*, right? > That should fix the SVACE's report as well. Would you accept such a patch? Yes. Alan Stern
diff --git a/drivers/usb/storage/sddr55.c b/drivers/usb/storage/sddr55.c index 15dc25801cdc..4aeff73de147 100644 --- a/drivers/usb/storage/sddr55.c +++ b/drivers/usb/storage/sddr55.c @@ -236,7 +236,7 @@ static int sddr55_read_data(struct us_data *us, memset (buffer, 0, len); } else { - address = (pba << info->blockshift) + page; + address = ((unsigned long)pba << info->blockshift) + page; command[0] = 0; command[1] = LSB_of(address>>16); @@ -411,7 +411,7 @@ static int sddr55_write_data(struct us_data *us, command[4] = 0x40; } - address = (pba << info->blockshift) + page; + address = ((unsigned long)pba << info->blockshift) + page; command[1] = LSB_of(address>>16); command[2] = LSB_of(address>>8);