From 6d8d5d1379f745e6ba86a73e56a0074e1f316b11 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Sun, 22 Nov 2020 03:30:27 +0000 Subject: [PATCH] fix arithmetic overflow in slice translation (bp #13624) (#13625) * fix arithmetic overflow in slice translation (#13624) * fix arithmetic overflow in slice translation * nudge (cherry picked from commit 8c922a0198358cfc636be0633a4e8a61b0c655f9) # Conflicts: # programs/bpf_loader/src/syscalls.rs * fix conflicts Co-authored-by: Jack May --- programs/bpf_loader/src/syscalls.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/programs/bpf_loader/src/syscalls.rs b/programs/bpf_loader/src/syscalls.rs index 929d818db4..2a4006ddd9 100644 --- a/programs/bpf_loader/src/syscalls.rs +++ b/programs/bpf_loader/src/syscalls.rs @@ -268,7 +268,7 @@ macro_rules! translate_slice_mut { } else { match translate_addr::( $vm_addr as u64, - $len as usize * size_of::<$t>(), + ($len as usize).saturating_mul(size_of::<$t>()), file!(), line!() as usize - ELF_INSN_DUMP_OFFSET + 1, $regions, @@ -1354,7 +1354,7 @@ mod tests { len: good_data.len() as u64, }]; let translated_data = - translate_slice!(u8, data.as_ptr(), data.len(), ®ions, &bpf_loader::id()).unwrap(); + translate_slice!(u8, data.as_ptr(), 0, ®ions, &bpf_loader::id()).unwrap(); assert_eq!(data, translated_data); assert_eq!(0, translated_data.len()); @@ -1371,6 +1371,11 @@ mod tests { assert_eq!(data, translated_data); data[0] = 10; assert_eq!(data, translated_data); + assert!( + translate_slice!(u8, data.as_ptr(), u64::MAX, ®ions, &bpf_loader::id()).is_err() + ); + + assert!(translate_slice!(u8, 100 - 1, data.len(), ®ions, &bpf_loader::id()).is_err()); // Pubkeys let mut data = vec![solana_sdk::pubkey::new_rand(); 5];