[PATCH mtd-utils] ubifs-utils: mkfs.ubifs: fix integer overflow in mkfs.ubifs.c
Zhihao Cheng
chengzhihao1 at huawei.com
Tue Dec 17 18:58:38 PST 2024
在 2024/12/18 1:28, Anton Moryakov 写道:
> Report of the static analyzer:
> The value of an arithmetic expression '4 * c->leb_size' is a subject to overflow because its operands are not cast to a larger data type before performing arithmetic
>
> Corrections explained:
> To avoid overflow, we cast one of the operands (in this case c->leb_size) to type long long, which has a larger range.
>
> Triggers found by static analyzer Svace.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
>
> ---
> ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
> index b5f3892..9f276c5 100644
> --- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
> +++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
> @@ -858,8 +858,8 @@ static int get_options(int argc, char**argv)
> /* Make the max journal size 8MiB */
> if (c->max_bud_bytes > 8 * 1024 * 1024)
> c->max_bud_bytes = 8 * 1024 * 1024;
> - if (c->max_bud_bytes < 4 * c->leb_size)
> - c->max_bud_bytes = 4 * c->leb_size;
> + if (c->max_bud_bytes < 4 * (long long)c->leb_size)
> + c->max_bud_bytes = 4 * (long long)c->leb_size;
> }
The '4 * c->leb_size' could trigger an overflow, because 'c->leb_size'
is initialized by user option '-e'. However, function validate_options()
checks 'c->leb_size' and terminates the program if it exceeds
UBIFS_MAX_LEB_SZ[2M], so there will be no effects.
>
> if (c->log_lebs == -1) {
>
More information about the linux-mtd
mailing list