fix arithmetic overflow in slice translation (#13624)

* fix arithmetic overflow in slice translation * nudge
2020-11-16 16:13:01 -08:00 · 2020-11-16 16:13:01 -08:00 · 8c922a0198
parent 64a3cf03e2
commit 8c922a0198
1 changed files with 21 additions and 2 deletions
--- a/programs/bpf_loader/src/syscalls.rs
+++ b/programs/bpf_loader/src/syscalls.rs
@ -262,7 +262,7 @@ macro_rules! translate_slice_mut {
                $memory_mapping,
                $access_type,
                $vm_addr,
-                $len as usize * size_of::<$t>(),
+                ($len as usize).saturating_mul(size_of::<$t>()),
                $loader_id
            ) {
                Ok(value) => Ok(unsafe { from_raw_parts_mut(value as *mut $t, $len as usize) }),
@ -1510,7 +1510,7 @@ mod tests {
            AccessType::Load,
            data.as_ptr(),
            u8,
-            data.len(),
+            0,
            &bpf_loader::id()
        )
        .unwrap();
@ -1538,6 +1538,25 @@ mod tests {
        assert_eq!(data, translated_data);
        data[0] = 10;
        assert_eq!(data, translated_data);
+        assert!(translate_slice!(
+            memory_mapping,
+            AccessType::Load,
+            data.as_ptr(),
+            u8,
+            u64::MAX,
+            &bpf_loader::id()
+        )
+        .is_err());
+
+        assert!(translate_slice!(
+            memory_mapping,
+            AccessType::Load,
+            100 - 1,
+            u8,
+            data.len(),
+            &bpf_loader::id()
+        )
+        .is_err());

        // Pubkeys
        let mut data = vec![solana_sdk::pubkey::new_rand(); 5];