From: Zheng Yejian zhengyejian1@huawei.com
[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ]
The integer overflow is descripted with following codes:
317 static comp_t encode_comp_t(u64 value) 318 { 319 int exp, rnd;
......
341 exp <<= MANTSIZE; 342 exp += value; 343 return exp; 344 }
Currently comp_t is defined as type of '__u16', but the variable 'exp' is type of 'int', so overflow would happen when variable 'exp' in line 343 is greater than 65535.
Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com Signed-off-by: Zheng Yejian zhengyejian1@huawei.com Cc: Hanjun Guo guohanjun@huawei.com Cc: Randy Dunlap rdunlap@infradead.org Cc: Vlastimil Babka vbabka@suse.cz Cc: Zhang Jinhao zhangjinhao2@huawei.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- kernel/acct.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/kernel/acct.c b/kernel/acct.c index f175df8f6aa4..12f7dacf560e 100644 --- a/kernel/acct.c +++ b/kernel/acct.c @@ -331,6 +331,8 @@ static comp_t encode_comp_t(unsigned long value) exp++; }
+ if (exp > (((comp_t) ~0U) >> MANTSIZE)) + return (comp_t) ~0U; /* * Clean it up and polish it off. */