Skip to content

ndk_compat: bound the shift in set_cpu_mask_bit#465

Open
EylonKrause wants to merge 1 commit into
google:mainfrom
EylonKrause:fix/ndk-cpu-mask-shift-guard
Open

ndk_compat: bound the shift in set_cpu_mask_bit#465
EylonKrause wants to merge 1 commit into
google:mainfrom
EylonKrause:fix/ndk-cpu-mask-shift-guard

Conversation

@EylonKrause

Copy link
Copy Markdown

Description

parse_cpu_mask parses a CPU-topology mask (e.g. from /sys/devices/system/cpu/.../topology). Its single-index branch calls set_cpu_mask_bit(cpu_index, ...) with the parsed index directly, and the helper does:

*cpu_mask |= 1UL << index;

cpu_mask is a uint32_t (a 32-CPU mask). An index >= 32 truncates into the mask, and an index >= the width of the shifted type — a lone core index >= 64 on a many-core machine, or a crafted/foreign topology line — makes 1UL << index undefined behavior. The range branch already guards if (i < 32); the single-index branch has no such bound.

Fix

Bound the shift inside set_cpu_mask_bit (so both callers are covered), matching the existing 32-CPU limit, and shift a uint32_t to match the mask type.

Testing

ndk_compat isn't built on this x86 host, but the change is a localized guard consistent with the range path's existing i < 32 check and the uint32_t mask width.

parse_cpu_mask's single-index path passes the parsed cpu index straight to
set_cpu_mask_bit, which did `*cpu_mask |= 1UL << index` with no bound. cpu_mask
is a 32-bit mask, so an index >= 32 truncates, and an index >= the width of the
shifted type (a lone core index >= 64 on a many-core machine, or a crafted
topology line) is undefined behavior. The range path already guards `i < 32`;
apply the same bound in the helper so both callers are safe, and shift a
uint32_t to match the mask type.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant