core/flash core/init: Fix unintended sign extension

According to Coverity:
le16_to_cpu(elf64->e_shnum) is promoted in
`le16_to_cpu(elf64->e_shentsize) * le16_to_cpu(elf64->e_shnum)`
to type int (32 bits, signed), then sign-extended to type
unsigned long long (64 bits, unsigned).
If `le16_to_cpu(elf64->e_shentsize) * le16_to_cpu(elf64->e_shnum)`
is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.

I'm sure in practice this can't happen since this would require
either/or e_shnum and e_shentsize to be quite large.

Fixes: CID 138019, 137707, 137706, 137708
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/core/init.c b/core/init.c
index 61b531c7..a96a69c8 100644
--- a/core/init.c
+++ b/core/init.c
@@ -119,7 +119,8 @@ static bool try_load_elf64_le(struct elf_hdr *header)
 	kernel_32bit = false;
 
 	kernel_size = le64_to_cpu(kh->e_shoff) +
-		(le16_to_cpu(kh->e_shentsize) * le16_to_cpu(kh->e_shnum));
+		((uint32_t)le16_to_cpu(kh->e_shentsize) *
+		 (uint32_t)le16_to_cpu(kh->e_shnum));
 
 	prlog(PR_DEBUG, "INIT: 64-bit kernel entry at 0x%llx, size 0x%lx\n",
 	      kernel_entry, kernel_size);
@@ -196,7 +197,8 @@ static bool try_load_elf64(struct elf_hdr *header)
 	kernel_entry += load_base;
 	kernel_32bit = false;
 
-	kernel_size = kh->e_shoff + (kh->e_shentsize * kh->e_shnum);
+	kernel_size = kh->e_shoff +
+		((uint32_t)kh->e_shentsize * (uint32_t)kh->e_shnum);
 
 	printf("INIT: 64-bit kernel entry at 0x%llx, size 0x%lx\n",
 	       kernel_entry, kernel_size);