1From 302c12ff5714bc455949117c1c9548ccb324d55b Mon Sep 17 00:00:00 2001 2From: Darren Kenny <darren.kenny@oracle.com> 3Date: Tue, 8 Dec 2020 22:17:04 +0000 4Subject: [PATCH] zfs: Fix possible integer overflows 5 6In all cases the problem is that the value being acted upon by 7a left-shift is a 32-bit number which is then being used in the 8context of a 64-bit number. 9 10To avoid overflow we ensure that the number being shifted is 64-bit 11before the shift is done. 12 13Fixes: CID 73684, CID 73695, CID 73764 14 15Signed-off-by: Darren Kenny <darren.kenny@oracle.com> 16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 17Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 18--- 19 grub-core/fs/zfs/zfs.c | 8 ++++---- 20 1 file changed, 4 insertions(+), 4 deletions(-) 21 22diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c 23index 9087a72..b078ccc 100644 24--- a/grub-core/fs/zfs/zfs.c 25+++ b/grub-core/fs/zfs/zfs.c 26@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array, 27 ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array 28 + ((i << ub_shift) 29 / sizeof (grub_properly_aligned_t))); 30- err = uberblock_verify (ubptr, offset, 1 << ub_shift); 31+ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift); 32 if (err) 33 { 34 grub_errno = GRUB_ERR_NONE; 35@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc, 36 37 high = grub_divmod64 ((offset >> desc->ashift) + c, 38 desc->n_children, &devn); 39- csize = bsize << desc->ashift; 40+ csize = (grub_size_t) bsize << desc->ashift; 41 if (csize > len) 42 csize = len; 43 44@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc, 45 46 while (len > 0) 47 { 48- grub_size_t csize; 49- csize = ((s / (desc->n_children - desc->nparity)) 50+ grub_size_t csize = s; 51+ csize = ((csize / (desc->n_children - desc->nparity)) 52 << desc->ashift); 53 if (csize > len) 54 csize = len; 55-- 562.14.2 57 58