From 20b5f0d8c98dff8d959fe388166e43530268c6b7 Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Mon, 14 Mar 2022 11:25:56 -0400
Subject: [PATCH] Fix: lttng ABI: lttng_counter_ioctl() tainted scalar

Found by Coverity:

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_aggregate.index.number_dimensions" as a loop boundary.

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_clear.index.number_dimensions" as a loop boundary.

>>>     CID 1476250:    (TAINTED_SCALAR)
>>>     Using tainted variable "local_counter_read.index.number_dimensions" as a loop boundary.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I7d35cf96781bb18837fe4564e4e8a34aa2ddc310
---
 src/lttng-abi.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/lttng-abi.c b/src/lttng-abi.c
index c0ab0a48..fa7eca6f 100644
--- a/src/lttng-abi.c
+++ b/src/lttng-abi.c
@@ -650,6 +650,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		if (validate_zeroed_padding(local_counter_read.padding,
 				sizeof(local_counter_read.padding)))
 			return -EINVAL;
+		if (local_counter_read.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+			return -EINVAL;
 
 		/* Cast all indexes into size_t. */
 		for (i = 0; i < local_counter_read.index.number_dimensions; i++)
@@ -685,6 +687,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		if (validate_zeroed_padding(local_counter_aggregate.padding,
 				sizeof(local_counter_aggregate.padding)))
 			return -EINVAL;
+		if (local_counter_aggregate.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+			return -EINVAL;
 
 		/* Cast all indexes into size_t. */
 		for (i = 0; i < local_counter_aggregate.index.number_dimensions; i++)
@@ -716,6 +720,8 @@ long lttng_counter_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		if (validate_zeroed_padding(local_counter_clear.padding,
 				sizeof(local_counter_clear.padding)))
 			return -EINVAL;
+		if (local_counter_clear.index.number_dimensions > LTTNG_KERNEL_ABI_COUNTER_DIMENSION_MAX)
+			return -EINVAL;
 
 		/* Cast all indexes into size_t. */
 		for (i = 0; i < local_counter_clear.index.number_dimensions; i++)
-- 
2.34.1