aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZheng Yejian <[email protected]>2021-05-15 22:06:31 +0800
committerAndrew Morton <[email protected]>2022-11-30 16:13:18 -0800
commitc5f31c655bcc01b6da53b836ac951c1556245305 (patch)
treeb8bf5588b37bda48fff034aa91653d7df092d207
parent457139f16ae15d86df1e491fc45a9ea56def57b5 (diff)
acct: fix potential integer overflow in encode_comp_t()
The integer overflow is descripted with following codes: > 317 static comp_t encode_comp_t(u64 value) > 318 { > 319 int exp, rnd; ...... > 341 exp <<= MANTSIZE; > 342 exp += value; > 343 return exp; > 344 } Currently comp_t is defined as type of '__u16', but the variable 'exp' is type of 'int', so overflow would happen when variable 'exp' in line 343 is greater than 65535. Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Zheng Yejian <[email protected]> Cc: Hanjun Guo <[email protected]> Cc: Randy Dunlap <[email protected]> Cc: Vlastimil Babka <[email protected]> Cc: Zhang Jinhao <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
-rw-r--r--kernel/acct.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/acct.c b/kernel/acct.c
index 31b09cf7189c..010667ce6080 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -350,6 +350,8 @@ static comp_t encode_comp_t(u64 value)
exp++;
}
+ if (exp > (((comp_t) ~0U) >> MANTSIZE))
+ return (comp_t) ~0U;
/*
* Clean it up and polish it off.
*/