[CRIU] [PATCH] zdtm: avoid arithmetic overflow in datagen and datachk
Andrei Vagin
avagin at virtuozzo.com
Tue Oct 24 01:46:41 MSK 2017
Applied, thanks!
On Tue, Oct 17, 2017 at 09:34:52AM +0300, Andrei Vagin wrote:
> From: Andrei Vagin <avagin at virtuozzo.com>
>
> p + FAST_SIZE > buffer + length
>
> In this sentence p + FAST_SIZE may be bigger than (1<<32),
> and we will be in trouble.
>
> $ gdb -c coredump test/zdtm/static/write_read01
>
> (gdb) p p
> $3 = (uint8_t *) 0xffffa89e
> (gdb) p buffer
> $4 = (uint8_t *) 0xfff06780
> (gdb) p length
> $5 = 1000000
>
> Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
> ---
> test/zdtm/lib/datagen.c | 30 +++++++++++++++---------------
> 1 file changed, 15 insertions(+), 15 deletions(-)
>
> diff --git a/test/zdtm/lib/datagen.c b/test/zdtm/lib/datagen.c
> index 550339c40..83fbea285 100644
> --- a/test/zdtm/lib/datagen.c
> +++ b/test/zdtm/lib/datagen.c
> @@ -14,42 +14,42 @@
>
> static void datagen_fast(uint8_t *buffer, unsigned length, uint32_t *crc)
> {
> - uint8_t *p;
> + size_t off;
>
> datagen(buffer, FAST_SIZE, crc);
> - p = buffer + FAST_SIZE;
> + off = FAST_SIZE;
>
> - while (p < buffer + length) {
> + while (off < length) {
> unsigned long size = FAST_SIZE;
>
> - if (p + FAST_SIZE > buffer + length)
> - size = buffer + length - p;
> - memcpy(p, buffer, size);
> + if (off + FAST_SIZE > length)
> + size = length - off;
> + memcpy(buffer + off, buffer, size);
>
> - p += FAST_SIZE;
> + off += size;
> }
> }
>
> static int datachk_fast(const uint8_t *buffer, unsigned length, uint32_t *crc)
> {
> - const uint8_t *p;
> + size_t off;
>
> if (datachk(buffer, FAST_SIZE, crc))
> return 1;
>
> - p = buffer + FAST_SIZE;
> + off = FAST_SIZE;
>
> - while (p < buffer + length) {
> + while (off < length) {
> unsigned long size = FAST_SIZE;
>
> - if (p + FAST_SIZE > buffer + length)
> - size = buffer + length - p;
> + if (off + FAST_SIZE > length)
> + size = length - off;
>
> - if (memcmp(p, buffer, size)) {
> - test_msg("Memory corruption [%p, %p]\n", p, p + size);
> + if (memcmp(buffer + off, buffer, size)) {
> + test_msg("Memory corruption [%p, %p]\n", buffer, buffer + size);
> return 1;
> }
> - p += FAST_SIZE;
> + off += size;
> }
>
> return 0;
> --
> 2.13.3
>
More information about the CRIU
mailing list