lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y2Nz7wB5ovzgrs6N@kadam>
Date:   Thu, 3 Nov 2022 10:55:27 +0300
From:   Dan Carpenter <error27@...il.com>
To:     Deepak R Varma <drv@...lo.com>
Cc:     outreachy@...ts.linux.dev,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: staging: emxx_udc question on i_write_length datatype

On Thu, Nov 03, 2022 at 12:57:09PM +0530, Deepak R Varma wrote:
> Hello,
> While reviewing this [1] coccicheck warning, I observed something that concerned
> me. The variable i_write_length is declared to be of u32 type. Later it is
> assigned a value DMA_MAX_COUNT * mpkt; which is 256 * u32;
> 
> I am unable to estimate if mpkt (or max packet size) can attain value greater
> than 16777215 in which case the result will overflow the 32 bits of
> i_write_length. Is it safe to make i_write_length to be a u64?
> 
> [1] drivers/staging/emxx_udc/emxx_udc.c:1007:28-29: WARNING opportunity for min()
> 

drivers/staging/emxx_udc/emxx_udc.c
   983  static int _nbu2ss_in_dma(struct nbu2ss_udc *udc, struct nbu2ss_ep *ep,
   984                            struct nbu2ss_req *req, u32 num, u32 length)
   985  {
   986          dma_addr_t      p_buffer;
   987          u32             mpkt;           /* MaxPacketSize */
   988          u32             lmpkt;          /* Last Packet Data Size */
   989          u32             dmacnt;         /* IN Data Size */
   990          u32             i_write_length;
   991          u32             data;
   992          int             result = -EINVAL;
   993          struct fc_regs __iomem *preg = udc->p_regs;
   994  
   995          if (req->dma_flag)
   996                  return 1;               /* DMA is forwarded */
   997  
   998  #ifdef USE_DMA
   999          if (req->req.actual == 0)
  1000                  _nbu2ss_dma_map_single(udc, ep, req, USB_DIR_IN);
  1001  #endif
  1002          req->dma_flag = true;
  1003  
  1004          /* MAX Packet Size */
  1005          mpkt = _nbu2ss_readl(&preg->EP_REGS[num].EP_PCKT_ADRS) & EPN_MPKT;
                                                                         ^^^^^^^^
mpkt is 0-0x7ff so 256 * 0x7ff will not be greater than UINT_MAX.

  1006  
  1007          if ((DMA_MAX_COUNT * mpkt) < length)
  1008                  i_write_length = DMA_MAX_COUNT * mpkt;
  1009          else
  1010                  i_write_length = length;
  1011  
  1012          /*------------------------------------------------------------*/
  1013          /* Number of transmission packets */
  1014          if (mpkt < i_write_length) {

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ