From: Dmitry Antipov Date: Tue, 19 May 2026 17:22:53 +0000 (+0300) Subject: lib: fix memparse() to handle overflow X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a4580db6e9f83428813f671a79486469684069f;p=thirdparty%2Flinux.git lib: fix memparse() to handle overflow Since '_parse_integer_limit()' (and so 'simple_strtoull()') is now capable to handle overflow, adjust 'memparse()' to handle overflow (denoted by ULLONG_MAX) returned from 'simple_strtoull()'. Also use 'check_shl_overflow()' to catch an overflow possibly caused by processing size suffix and denote it with ULLONG_MAX as well. Link: https://lore.kernel.org/20260519172259.908980-3-dmantipov@yandex.ru Signed-off-by: Dmitry Antipov Reviewed-by: Andy Shevchenko Cc: Albert Ou Cc: Alexandre Ghiti Cc: Ard Biesheuvel Cc: Charlie Jenkins Cc: Palmer Dabbelt Signed-off-by: Andrew Morton --- diff --git a/lib/cmdline.c b/lib/cmdline.c index 90ed997d9570..f6e4b113ca9f 100644 --- a/lib/cmdline.c +++ b/lib/cmdline.c @@ -150,39 +150,46 @@ EXPORT_SYMBOL(get_options); unsigned long long memparse(const char *ptr, char **retptr) { char *endptr; /* local pointer to end of parsed string */ - unsigned long long ret = simple_strtoull(ptr, &endptr, 0); + unsigned int shl = 0; + /* Consume valid suffix even in case of overflow. */ switch (*endptr) { case 'E': case 'e': - ret <<= 10; + shl += 10; fallthrough; case 'P': case 'p': - ret <<= 10; + shl += 10; fallthrough; case 'T': case 't': - ret <<= 10; + shl += 10; fallthrough; case 'G': case 'g': - ret <<= 10; + shl += 10; fallthrough; case 'M': case 'm': - ret <<= 10; + shl += 10; fallthrough; case 'K': case 'k': - ret <<= 10; - endptr++; + shl += 10; fallthrough; default: break; } + if (shl && likely(ptr != endptr)) { + /* Have valid suffix with preceding number. */ + if (unlikely(check_shl_overflow(ret, shl, &ret))) + ret = ULLONG_MAX; + endptr++; + } + if (retptr) *retptr = endptr;