dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow

commit 5a4510c762fc04c74cff264cd4d9e9f5bf364bae upstream.

This was found by a static analyzer.
There may be a potential integer overflow issue in
unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are
defined as "sector_t"(uint64_t), while uc->unstripe,
uc->chunk_size and uc->stripes are all defined as "uint32_t".
The result of the calculation will be limited to "uint32_t"
without correct casting.
So, we recommend adding an extra cast to prevent potential
integer overflow.

Fixes: 18a5bf270532 ("dm: add unstriped target")
Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/md/dm-unstripe.c b/drivers/md/dm-unstripe.c
index fdc8921e5c19f01947335a85c956df89f1a0cf23..e69d297b9122ff6b1a90c19b1e4cd038c7441655 100644 (file)
--- a/drivers/md/dm-unstripe.c
+++ b/drivers/md/dm-unstripe.c
@@ -84,8 +84,8 @@ static int unstripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
        }
        uc->physical_start = start;
 
-       uc->unstripe_offset = uc->unstripe * uc->chunk_size;
-       uc->unstripe_width = (uc->stripes - 1) * uc->chunk_size;
+       uc->unstripe_offset = (sector_t)uc->unstripe * uc->chunk_size;
+       uc->unstripe_width = (sector_t)(uc->stripes - 1) * uc->chunk_size;
        uc->chunk_shift = is_power_of_2(uc->chunk_size) ? fls(uc->chunk_size) - 1 : 0;
 
        tmp_len = ti->len;