lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200618142106.GK159988@e110455-lin.cambridge.arm.com>
Date:   Thu, 18 Jun 2020 15:21:06 +0100
From:   Liviu Dudau <liviu.dudau@....com>
To:     Colin Ian King <colin.king@...onical.com>
Cc:     David Airlie <airlied@...ux.ie>, kernel-janitors@...r.kernel.org,
        linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org
Subject: Re: [PATCH] drm/arm: fix unintentional integer overflow on left shift

On Thu, Jun 18, 2020 at 01:50:34PM +0100, Colin Ian King wrote:
> On 18/06/2020 13:14, Liviu Dudau wrote:
> > On Thu, Jun 18, 2020 at 11:04:00AM +0100, Colin King wrote:
> >> From: Colin Ian King <colin.king@...onical.com>
> > 
> > Hi Colin,
> > 
> >>
> >> Shifting the integer value 1 is evaluated using 32-bit arithmetic
> >> and then used in an expression that expects a long value leads to
> >> a potential integer overflow.
> > 
> > I'm afraid this explanation makes no sense to me. Do you care to explain better what
> > you think the issue is? If the shift is done as 32-bit arithmetic and then promoted
> > to long how does the overflow happen?
> 
> The shift is performed using 32 bit signed math and then assigned to an
> unsigned 64 bit long. This if the shift is 31 bits then the signed int
> conversion of 0x80000000 to unsigned long becomes 0xffffffff80000000.
> If the shift is more than 32 bits then result overflows and becomes 0x0.

You are right, I've missed the fact that it is signed math. Not very likely that
we are going to ever have 30 or more CRTCs in the driver, but Coverity has no
way of knowing that.

Acked-by: Liviu Dudau <liviu.dudau@....com>

I will pull this into drm-misc-next today.

Best regards,
Liviu

> 
> Colin
> 
> > 
> > Best regards,
> > Liviu
> > 
> >> Fix this by using the BIT macro to
> >> perform the shift to avoid the overflow.
> >>
> >> Addresses-Coverity: ("Unintentional integer overflow")
> >> Fixes: ad49f8602fe8 ("drm/arm: Add support for Mali Display Processors")
> >> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> >> ---
> >>  drivers/gpu/drm/arm/malidp_planes.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/arm/malidp_planes.c b/drivers/gpu/drm/arm/malidp_planes.c
> >> index 37715cc6064e..ab45ac445045 100644
> >> --- a/drivers/gpu/drm/arm/malidp_planes.c
> >> +++ b/drivers/gpu/drm/arm/malidp_planes.c
> >> @@ -928,7 +928,7 @@ int malidp_de_planes_init(struct drm_device *drm)
> >>  	const struct malidp_hw_regmap *map = &malidp->dev->hw->map;
> >>  	struct malidp_plane *plane = NULL;
> >>  	enum drm_plane_type plane_type;
> >> -	unsigned long crtcs = 1 << drm->mode_config.num_crtc;
> >> +	unsigned long crtcs = BIT(drm->mode_config.num_crtc);
> >>  	unsigned long flags = DRM_MODE_ROTATE_0 | DRM_MODE_ROTATE_90 | DRM_MODE_ROTATE_180 |
> >>  			      DRM_MODE_ROTATE_270 | DRM_MODE_REFLECT_X | DRM_MODE_REFLECT_Y;
> >>  	unsigned int blend_caps = BIT(DRM_MODE_BLEND_PIXEL_NONE) |
> >> -- 
> >> 2.27.0.rc0
> >>
> > 
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@...ts.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
====================
| I would like to |
| fix the world,  |
| but they're not |
| giving me the   |
 \ source code!  /
  ---------------
    ¯\_(ツ)_/¯

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ