From 5472662b33bf233aa31ed52679e73c3a57f78dd1 Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Thu, 1 May 2025 12:48:43 +0100
Subject: [PATCH] runtime: Fix Incorrect conversion between integer types

Fix the high severity codeql issue by checking the
value is in bounds before converting

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 src/runtime/virtcontainers/kata_agent.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go
index f859eec42..f287d4d1d 100644
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@@ -11,6 +11,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math"
 	"os"
 	"path"
 	"path/filepath"
@@ -1776,9 +1777,18 @@ func (k *kataAgent) handleDeviceBlockVolume(c *Container, m Mount, device api.De
 	if len(vol.Options) == 0 {
 		vol.Options = m.Options
 	}
+
 	if m.FSGroup != nil {
+		var safeFsgroup uint32
+		// Check conversions from int to uint32 is safe
+		if *m.FSGroup > 0 && *m.FSGroup <= math.MaxUint32 {
+			safeFsgroup = uint32(*m.FSGroup)
+		} else {
+			return nil, fmt.Errorf("m.FSGroup value was out of range: %d", m.FSGroup)
+
+		}
 		vol.FsGroup = &grpc.FSGroup{
-			GroupId:           uint32(*m.FSGroup),
+			GroupId:           safeFsgroup,
 			GroupChangePolicy: getFSGroupChangePolicy(m.FSGroupChangePolicy),
 		}
 	}