lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 25 Mar 2019 12:08:12 +0200
From:   Sakari Ailus <sakari.ailus@...ux.intel.com>
To:     Dan Carpenter <dan.carpenter@...cle.com>
Cc:     Mauro Carvalho Chehab <mchehab@...nel.org>,
        Hans Verkuil <hverkuil-cisco@...all.nl>,
        Paul Kocialkowski <paul.kocialkowski@...tlin.com>,
        Tomasz Figa <tfiga@...omium.org>,
        Philipp Zabel <p.zabel@...gutronix.de>,
        Keiichi Watanabe <keiichiw@...omium.org>,
        Smitha T Murthy <smitha.t@...sung.com>,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] media: v4l2-ctrl: potential shift wrapping bugs

Hi Dan,

Thanks for the patch.

On Mon, Mar 25, 2019 at 12:06:26PM +0300, Dan Carpenter wrote:
> This code generates a static checker warning:
> 
>     drivers/media/v4l2-core/v4l2-ctrls.c:2921 v4l2_querymenu()
>     warn: should '(1 << i)' be a 64 bit type?
> 
> The problem is that "ctrl->menu_skip_mask" is a u64 and we're only
> testing the lower 32 bits.

This seems to be caused by patch 0ba2aeb6dab8 ("[media] v4l2-ctrls:
increase internal min/max/step/def to 64 bit"). Backporting the fix isn't
likely really important --- the reason being no-one has figured this out
previously, very probably so because there are no menus that long.

Reviewed-by: Sakari Ailus <sakari.ailus@...ux.intel.com>

> 
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
>  drivers/media/v4l2-core/v4l2-ctrls.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c
> index b79d3bbd8350..cee78485df02 100644
> --- a/drivers/media/v4l2-core/v4l2-ctrls.c
> +++ b/drivers/media/v4l2-core/v4l2-ctrls.c
> @@ -1599,7 +1599,7 @@ static int std_validate(const struct v4l2_ctrl *ctrl, u32 idx,
>  	case V4L2_CTRL_TYPE_INTEGER_MENU:
>  		if (ptr.p_s32[idx] < ctrl->minimum || ptr.p_s32[idx] > ctrl->maximum)
>  			return -ERANGE;
> -		if (ctrl->menu_skip_mask & (1 << ptr.p_s32[idx]))
> +		if (ctrl->menu_skip_mask & (1ULL << ptr.p_s32[idx]))
>  			return -EINVAL;
>  		if (ctrl->type == V4L2_CTRL_TYPE_MENU &&
>  		    ctrl->qmenu[ptr.p_s32[idx]][0] == '\0')
> @@ -2918,7 +2918,7 @@ int v4l2_querymenu(struct v4l2_ctrl_handler *hdl, struct v4l2_querymenu *qm)
>  		return -EINVAL;
>  
>  	/* Use mask to see if this menu item should be skipped */
> -	if (ctrl->menu_skip_mask & (1 << i))
> +	if (ctrl->menu_skip_mask & (1ULL << i))
>  		return -EINVAL;
>  	/* Empty menu items should also be skipped */
>  	if (ctrl->type == V4L2_CTRL_TYPE_MENU) {

-- 
Kind regards,

Sakari Ailus
sakari.ailus@...ux.intel.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ