From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Mon, 14 Mar 2022 15:25:56 +0000 (-0400)
Subject: Fix: lttng ABI: lttng_counter_ioctl() tainted scalar
X-Git-Url: http://git.lttng.org/?p=lttng-modules.git;a=commitdiff_plain;h=20b5f0d8c98dff8d959fe388166e43530268c6b7

Fix: lttng ABI: lttng_counter_ioctl() tainted scalar

Found by Coverity:

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_aggregate.index.number_dimensions" as a loop boundary.

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_clear.index.number_dimensions" as a loop boundary.

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_read.index.number_dimensions" as a loop boundary.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I7d35cf96781bb18837fe4564e4e8a34aa2ddc310
---

diff --git a/src/lttng-abi.c b/src/lttng-abi.c
index c0ab0a48..fa7eca6f 100644
--- a/src/lttng-abi.c
+++ b/src/lttng-abi.c
@@ -650,6 +650,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		if (validate_zeroed_padding(local_counter_read.padding,
 				sizeof(local_counter_read.padding)))
 			return -EINVAL;
+		if (local_counter_read.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+			return -EINVAL;
 
 		/* Cast all indexes into size_t. */
 		for (i = 0; i < local_counter_read.index.number_dimensions; i++)
@@ -685,6 +687,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		if (validate_zeroed_padding(local_counter_aggregate.padding,
 				sizeof(local_counter_aggregate.padding)))
 			return -EINVAL;
+		if (local_counter_aggregate.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+			return -EINVAL;
 
 		/* Cast all indexes into size_t. */
 		for (i = 0; i < local_counter_aggregate.index.number_dimensions; i++)
@@ -716,6 +720,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		if (validate_zeroed_padding(local_counter_clear.padding,
 				sizeof(local_counter_clear.padding)))
 			return -EINVAL;
+		if (local_counter_clear.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+			return -EINVAL;
 
 		/* Cast all indexes into size_t. */
 		for (i = 0; i < local_counter_clear.index.number_dimensions; i++)