[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180130045545.Horde.1SSKgcFKaDeoUtmczJ8SRH1@gator4166.hostgator.com>
Date: Tue, 30 Jan 2018 04:55:45 -0600
From: "Gustavo A. R. Silva" <garsilva@...eddedor.com>
To: Hans Verkuil <hverkuil@...all.nl>
Cc: "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 8/8] platform: vivid-cec: fix potential integer overflow
in vivid_cec_pin_adap_events
Quoting Hans Verkuil <hverkuil@...all.nl>:
> On 01/30/2018 09:51 AM, Gustavo A. R. Silva wrote:
>> Hi Hans,
>>
>> Quoting Hans Verkuil <hverkuil@...all.nl>:
>>
>>> Hi Gustavo,
>>>
>>> On 01/30/2018 01:33 AM, Gustavo A. R. Silva wrote:
>>>> Cast len to const u64 in order to avoid a potential integer
>>>> overflow. This variable is being used in a context that expects
>>>> an expression of type const u64.
>>>>
>>>> Addresses-Coverity-ID: 1454996 ("Unintentional integer overflow")
>>>> Signed-off-by: Gustavo A. R. Silva <gustavo@...eddedor.com>
>>>> ---
>>>> drivers/media/platform/vivid/vivid-cec.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/media/platform/vivid/vivid-cec.c
>>>> b/drivers/media/platform/vivid/vivid-cec.c
>>>> index b55d278..30240ab 100644
>>>> --- a/drivers/media/platform/vivid/vivid-cec.c
>>>> +++ b/drivers/media/platform/vivid/vivid-cec.c
>>>> @@ -83,7 +83,7 @@ static void vivid_cec_pin_adap_events(struct
>>>> cec_adapter *adap, ktime_t ts,
>>>> if (adap == NULL)
>>>> return;
>>>> ts = ktime_sub_us(ts, (CEC_TIM_START_BIT_TOTAL +
>>>> - len * 10 * CEC_TIM_DATA_BIT_TOTAL));
>>>> + (const u64)len * 10 * CEC_TIM_DATA_BIT_TOTAL));
>>>
>>> This makes no sense. Certainly the const part is pointless. And given that
>>> len is always <= 16 there definitely is no overflow.
>>>
>>
>> Yeah, I understand your point and I know there is no chance of an
>> overflow in this particular case.
>>
>>> I don't really want this cast in the code.
>>>
>>> Sorry,
>>>
>>
>> I'm working through all the Linux kernel Coverity reports, and I
>> thought of sending a patch for this because IMHO it doesn't hurt to
>> give the compiler complete information about the arithmetic in which
>> an expression is intended to be evaluated.
>>
>> I agree that the _const_ part is a bit odd. What do you think about
>> the cast to u64 alone?
>
> What happens if you do: ((u64)CEC_TIM_START_BIT_TOTAL +
>
> I think that forces everything else in the expression to be evaluated
> as u64.
>
Well, in this case the operator precedence takes place and the
expression len * 10 * CEC_TIM_DATA_BIT_TOTAL is computed first. So the
issue remains the same.
I can switch the expressions as follows:
(u64)len * 10 * CEC_TIM_DATA_BIT_TOTAL + CEC_TIM_START_BIT_TOTAL
and avoid the cast in the middle.
What do you think?
> It definitely needs a comment that this fixes a bogus Coverity report.
>
I actually added the following line to the message changelog:
Addresses-Coverity-ID: 1454996 ("Unintentional integer overflow")
Certainly, I've run across multiple false positives as in this case,
but I have also fixed many actual bugs thanks to the Coverity reports.
So I think in general it is valuable to take a look into these
reports, either if they spot actual bugs or promote code correctness.
Thanks
--
Gustavo
Powered by blists - more mailing lists