From 8c922a0198358cfc636be0633a4e8a61b0c655f9 Mon Sep 17 00:00:00 2001
From: Jack May <jack@solana.com>
Date: Mon, 16 Nov 2020 16:13:01 -0800
Subject: [PATCH] fix arithmetic overflow in slice translation (#13624)

* fix arithmetic overflow in slice translation

* nudge
---
 programs/bpf_loader/src/syscalls.rs | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/programs/bpf_loader/src/syscalls.rs b/programs/bpf_loader/src/syscalls.rs
index 450646d563..4993515c70 100644
--- a/programs/bpf_loader/src/syscalls.rs
+++ b/programs/bpf_loader/src/syscalls.rs
@@ -262,7 +262,7 @@ macro_rules! translate_slice_mut {
                 $memory_mapping,
                 $access_type,
                 $vm_addr,
-                $len as usize * size_of::<$t>(),
+                ($len as usize).saturating_mul(size_of::<$t>()),
                 $loader_id
             ) {
                 Ok(value) => Ok(unsafe { from_raw_parts_mut(value as *mut $t, $len as usize) }),
@@ -1510,7 +1510,7 @@ mod tests {
             AccessType::Load,
             data.as_ptr(),
             u8,
-            data.len(),
+            0,
             &bpf_loader::id()
         )
         .unwrap();
@@ -1538,6 +1538,25 @@ mod tests {
         assert_eq!(data, translated_data);
         data[0] = 10;
         assert_eq!(data, translated_data);
+        assert!(translate_slice!(
+            memory_mapping,
+            AccessType::Load,
+            data.as_ptr(),
+            u8,
+            u64::MAX,
+            &bpf_loader::id()
+        )
+        .is_err());
+
+        assert!(translate_slice!(
+            memory_mapping,
+            AccessType::Load,
+            100 - 1,
+            u8,
+            data.len(),
+            &bpf_loader::id()
+        )
+        .is_err());
 
         // Pubkeys
         let mut data = vec![solana_sdk::pubkey::new_rand(); 5];