lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <CCUPTHKOCEWC.3NLHJ5ACINRYN@shaak>
Date:   Fri, 16 Jul 2021 12:46:24 -0400
From:   "Liam Beguin" <liambeguin@...il.com>
To:     "Peter Rosin" <peda@...ntia.se>, <jic23@...nel.org>,
        <lars@...afoo.de>, <pmeerw@...erw.net>
Cc:     <linux-kernel@...r.kernel.org>, <linux-iio@...r.kernel.org>,
        <devicetree@...r.kernel.org>, <robh+dt@...nel.org>
Subject: Re: [PATCH v5 04/10] iio: afe: rescale: reduce risk of integer
 overflow

On Thu Jul 15, 2021 at 6:23 AM EDT, Peter Rosin wrote:
> On 2021-07-15 05:12, Liam Beguin wrote:
> > From: Liam Beguin <lvb@...hos.com>
> > 
> > Reduce the risk of integer overflow by doing the scale calculation with
> > 64bit integers and looking for a Greatest Common Divider for both parts
> > of the fractional value when required.
> > 
> > Signed-off-by: Liam Beguin <lvb@...hos.com>
> > ---
> >  drivers/iio/afe/iio-rescale.c | 15 ++++++++++++---
> >  1 file changed, 12 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/iio/afe/iio-rescale.c b/drivers/iio/afe/iio-rescale.c
> > index 774eb3044edd..4c3cfd4d5181 100644
> > --- a/drivers/iio/afe/iio-rescale.c
> > +++ b/drivers/iio/afe/iio-rescale.c
> > @@ -39,7 +39,8 @@ static int rescale_read_raw(struct iio_dev *indio_dev,
> >  			    int *val, int *val2, long mask)
> >  {
> >  	struct rescale *rescale = iio_priv(indio_dev);
> > -	unsigned long long tmp;
> > +	s64 tmp, tmp2;
> > +	u32 factor;
> >  	int ret;
> >  
> >  	switch (mask) {
> > @@ -67,8 +68,16 @@ static int rescale_read_raw(struct iio_dev *indio_dev,
> >  		}
> >  		switch (ret) {
> >  		case IIO_VAL_FRACTIONAL:
> > -			*val *= rescale->numerator;
> > -			*val2 *= rescale->denominator;
> > +			tmp = (s64)*val * rescale->numerator;
> > +			tmp2 = (s64)*val2 * rescale->denominator;
> > +			if (check_mul_overflow(*val, rescale->numerator, (s32 *)&tmp) ||
> > +			check_mul_overflow(*val2, rescale->denominator, (s32 *)&tmp2)) {

Hi Peter,

>
> The white space should be like this, methinks.
>
> if (check_mul_overflow(*val, rescale->numerator, (s32 *)&tmp) ||
> check_mul_overflow(*val2, rescale->denominator, (s32 *)&tmp2))
> {
>

Sorry about that... Like I said in the cover letter, I'm working on
getting kunit tests running for the iio-rescale. At the moment it still
requires copying part of the code over and sure enough I forgot to copy
some of it back. My apologies for the noise...

This is what I meant to send:

case IIO_VAL_FRACTIONAL:
	if (check_mul_overflow(*val, rescale->numerator, (s32 *)&tmp) ||
	    check_mul_overflow(*val2, rescale->denominator, (s32 *)&tmp2)) {
		tmp = (s64)*val * rescale->numerator;
		tmp2 = (s64)*val2 * rescale->denominator;
		factor = gcd(tmp, tmp2);
		do_div(tmp, factor);
		do_div(tmp2, factor);
	}

	*val = tmp;
	*val2 = tmp2;
	return ret;

I'll also move the opening bracket on a new line if you prefer.

> > +				factor = gcd(tmp, tmp2);
>
> And I just realized, gcd() works on unsigned values which is a bit safer
> for the
> scale factor. But here, for the actual values, more care is needed.
>

I added negative test cases to take this into account. I'll update and
resend. I'm going to find a way to get the test cases ready for the next
revision.

> > +				do_div(tmp, factor);
> > +				do_div(tmp2, factor);
> > +			}
> > +			*val = tmp;
> > +			*val2 = tmp2;
>
> And beside the above points, the whole mechanism seems broken. The
> returned value
> in the third argument to check_mul_overflow isn't useful if there is an
> overflow.
> Yet, the code continues to use tmp and tmp2 in case of overflow. And why
> do you
> first multiply tmp and tmp2 without checks, only to then do the same mul
> again
> but with checks? Or have I completely misunderstood how
> check_mul_overflow
> works?
>

Again, my apologies for this. It's not what I meant to send.
Hopefully the snippet above makes more sense.

Thanks for your time,
Liam

> Cheers,
> Peter
>
> >  			return ret;
> >  		case IIO_VAL_INT:
> >  			*val *= rescale->numerator;
> > 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ