[CRIU] [PATCH] zdtm: avoid arithmetic overflow in datagen and datachk

Andrei Vagin avagin at virtuozzo.com
Tue Oct 24 01:46:41 MSK 2017


Applied, thanks!

On Tue, Oct 17, 2017 at 09:34:52AM +0300, Andrei Vagin wrote:
> From: Andrei Vagin <avagin at virtuozzo.com>
> 
> p + FAST_SIZE > buffer + length
> 
> In this sentence p + FAST_SIZE may be bigger than (1<<32),
> and we will be in trouble.
> 
> $ gdb -c coredump test/zdtm/static/write_read01
> 
> (gdb) p p
> $3 = (uint8_t *) 0xffffa89e
> (gdb) p buffer
> $4 = (uint8_t *) 0xfff06780
> (gdb) p length
> $5 = 1000000
> 
> Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
> ---
>  test/zdtm/lib/datagen.c | 30 +++++++++++++++---------------
>  1 file changed, 15 insertions(+), 15 deletions(-)
> 
> diff --git a/test/zdtm/lib/datagen.c b/test/zdtm/lib/datagen.c
> index 550339c40..83fbea285 100644
> --- a/test/zdtm/lib/datagen.c
> +++ b/test/zdtm/lib/datagen.c
> @@ -14,42 +14,42 @@
>  
>  static void datagen_fast(uint8_t *buffer, unsigned length, uint32_t *crc)
>  {
> -	uint8_t *p;
> +	size_t off;
>  
>  	datagen(buffer, FAST_SIZE, crc);
> -	p = buffer + FAST_SIZE;
> +	off = FAST_SIZE;
>  
> -	while (p < buffer + length) {
> +	while (off < length) {
>  		unsigned long size = FAST_SIZE;
>  
> -		if (p + FAST_SIZE > buffer + length)
> -			size = buffer + length - p;
> -		memcpy(p, buffer, size);
> +		if (off + FAST_SIZE > length)
> +			size = length - off;
> +		memcpy(buffer + off, buffer, size);
>  
> -		p += FAST_SIZE;
> +		off += size;
>  	}
>  }
>  
>  static int datachk_fast(const uint8_t *buffer, unsigned length, uint32_t *crc)
>  {
> -	const uint8_t *p;
> +	size_t off;
>  
>  	if (datachk(buffer, FAST_SIZE, crc))
>  		return 1;
>  
> -	p = buffer + FAST_SIZE;
> +	off = FAST_SIZE;
>  
> -	while (p < buffer + length) {
> +	while (off < length) {
>  		unsigned long size = FAST_SIZE;
>  
> -		if (p + FAST_SIZE > buffer + length)
> -			size = buffer + length - p;
> +		if (off + FAST_SIZE > length)
> +			size = length - off;
>  
> -		if (memcmp(p, buffer, size)) {
> -			test_msg("Memory corruption [%p, %p]\n", p, p + size);
> +		if (memcmp(buffer + off, buffer, size)) {
> +			test_msg("Memory corruption [%p, %p]\n", buffer, buffer + size);
>  			return 1;
>  		}
> -		p += FAST_SIZE;
> +		off += size;
>  	}
>  
>  	return 0;
> -- 
> 2.13.3
> 


More information about the CRIU mailing list