genwqe: Prevent an integer overflow in the ioctl
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 7 May 2019 08:36:34 +0000 (11:36 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 11 Jun 2019 10:21:49 +0000 (12:21 +0200)
commite9dc6b850db20b5130600230de96862f0a46b321
tree232518c1c57ba78d94a23583f2a9c7bc64a12a83
parentb87f310ea5fe2a9b99e167e29ead3b2bb6d444a2
genwqe: Prevent an integer overflow in the ioctl

commit 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 upstream.

There are a couple potential integer overflows here.

round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE);

The first thing is that the "m->size + (...)" addition could overflow,
and the second is that round_up() overflows to zero if the result is
within PAGE_SIZE of the type max.

In this code, the "m->size" variable is an u64 but we're saving the
result in "map_size" which is an unsigned long and genwqe_user_vmap()
takes an unsigned long as well.  So I have used ULONG_MAX as the upper
bound.  From a practical perspective unsigned long is fine/better than
trying to change all the types to u64.

Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/misc/genwqe/card_dev.c
drivers/misc/genwqe/card_utils.c