From patchwork Thu Aug 3 06:45:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cyril Bur X-Patchwork-Id: 797013 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xNLGf59M8z9s7v for ; Thu, 3 Aug 2017 16:47:54 +1000 (AEST) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3xNLGf1gSFzDqlS for ; Thu, 3 Aug 2017 16:47:54 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3xNLFB2ld4zDrKx for ; Thu, 3 Aug 2017 16:46:38 +1000 (AEST) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v736hsog128897 for ; Thu, 3 Aug 2017 02:46:35 -0400 Received: from e23smtp06.au.ibm.com (e23smtp06.au.ibm.com [202.81.31.148]) by mx0b-001b2d01.pphosted.com with ESMTP id 2c3t2jx6rn-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 03 Aug 2017 02:46:35 -0400 Received: from localhost by e23smtp06.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 3 Aug 2017 16:46:32 +1000 Received: from d23relay09.au.ibm.com (202.81.31.228) by e23smtp06.au.ibm.com (202.81.31.212) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 3 Aug 2017 16:46:31 +1000 Received: from d23av06.au.ibm.com (d23av06.au.ibm.com [9.190.235.151]) by d23relay09.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v736kUYu19988708 for ; Thu, 3 Aug 2017 16:46:30 +1000 Received: from d23av06.au.ibm.com (localhost [127.0.0.1]) by d23av06.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id v736kUY1029741 for ; Thu, 3 Aug 2017 16:46:30 +1000 Received: from ozlabs.au.ibm.com (ozlabs.au.ibm.com [9.192.253.14]) by d23av06.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id v736kU70029738 for ; Thu, 3 Aug 2017 16:46:30 +1000 Received: from camb691.ozlabs.ibm.com (haven.au.ibm.com [9.192.254.114]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.au.ibm.com (Postfix) with ESMTPSA id 3AC92A01E5 for ; Thu, 3 Aug 2017 16:46:30 +1000 (AEST) From: Cyril Bur To: skiboot@lists.ozlabs.org Date: Thu, 3 Aug 2017 16:45:44 +1000 X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170803064551.3439-1-cyril.bur@au1.ibm.com> References: <20170803064551.3439-1-cyril.bur@au1.ibm.com> X-TM-AS-MML: disable x-cbid: 17080306-0040-0000-0000-0000034C6753 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17080306-0041-0000-0000-00000CC900EC Message-Id: <20170803064551.3439-5-cyril.bur@au1.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-03_03:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1708030104 Subject: [Skiboot] [PATCH 05/12] core/flash core/init: Fix unintended sign extension X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" According to Coverity: le16_to_cpu(elf64->e_shnum) is promoted in `le16_to_cpu(elf64->e_shentsize) * le16_to_cpu(elf64->e_shnum)` to type int (32 bits, signed), then sign-extended to type unsigned long long (64 bits, unsigned). If `le16_to_cpu(elf64->e_shentsize) * le16_to_cpu(elf64->e_shnum)` is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. I'm sure in practice this can't happen since this would require either/or e_shnum and e_shentsize to be quite large. Fixes: CID 138019, 137707, 137706, 137708 Signed-off-by: Cyril Bur --- I think a simple cast should solve it, so lets do that. core/flash.c | 4 ++-- core/init.c | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/core/flash.c b/core/flash.c index 8a908e5b..53e6eba0 100644 --- a/core/flash.c +++ b/core/flash.c @@ -438,8 +438,8 @@ static size_t sizeof_elf_from_hdr(void *buf) if (elf->ei_class == ELF_CLASS_64) { struct elf64_hdr *elf64 = (struct elf64_hdr*) buf; sz = le64_to_cpu(elf64->e_shoff) + - (le16_to_cpu(elf64->e_shentsize) * - le16_to_cpu(elf64->e_shnum)); + ((uint32_t)le16_to_cpu(elf64->e_shentsize) * + (uint32_t)le16_to_cpu(elf64->e_shnum)); } else if (elf->ei_class == ELF_CLASS_32) { struct elf32_hdr *elf32 = (struct elf32_hdr*) buf; sz = le32_to_cpu(elf32->e_shoff) + diff --git a/core/init.c b/core/init.c index 61b531c7..a96a69c8 100644 --- a/core/init.c +++ b/core/init.c @@ -119,7 +119,8 @@ static bool try_load_elf64_le(struct elf_hdr *header) kernel_32bit = false; kernel_size = le64_to_cpu(kh->e_shoff) + - (le16_to_cpu(kh->e_shentsize) * le16_to_cpu(kh->e_shnum)); + ((uint32_t)le16_to_cpu(kh->e_shentsize) * + (uint32_t)le16_to_cpu(kh->e_shnum)); prlog(PR_DEBUG, "INIT: 64-bit kernel entry at 0x%llx, size 0x%lx\n", kernel_entry, kernel_size); @@ -196,7 +197,8 @@ static bool try_load_elf64(struct elf_hdr *header) kernel_entry += load_base; kernel_32bit = false; - kernel_size = kh->e_shoff + (kh->e_shentsize * kh->e_shnum); + kernel_size = kh->e_shoff + + ((uint32_t)kh->e_shentsize * (uint32_t)kh->e_shnum); printf("INIT: 64-bit kernel entry at 0x%llx, size 0x%lx\n", kernel_entry, kernel_size);