lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c7a7f4ec1cc32825e66978a7fccc9306fd309abd.camel@mediatek.com>
Date:   Tue, 12 Sep 2023 09:14:55 +0000
From:   CK Hu (胡俊光) <ck.hu@...iatek.com>
To:     Jason-JH Lin (林睿祥) 
        <Jason-JH.Lin@...iatek.com>,
        "chunkuang.hu@...nel.org" <chunkuang.hu@...nel.org>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Singo Chang (張興國) 
        <Singo.Chang@...iatek.com>,
        Johnson Wang (王聖鑫) 
        <Johnson.Wang@...iatek.com>,
        Jason-ch Chen (陳建豪) 
        <Jason-ch.Chen@...iatek.com>,
        Shawn Sung (宋孝謙) 
        <Shawn.Sung@...iatek.com>,
        "linux-mediatek@...ts.infradead.org" 
        <linux-mediatek@...ts.infradead.org>,
        Nancy Lin (林欣螢) <Nancy.Lin@...iatek.com>,
        "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
        Project_Global_Chrome_Upstream_Group 
        <Project_Global_Chrome_Upstream_Group@...iatek.com>,
        "amergnat@...libre.com" <amergnat@...libre.com>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "angelogioacchino.delregno@...labora.com" 
        <angelogioacchino.delregno@...labora.com>
Subject: Re: [PATCH v5] drm/mediatek: Fix coverity issue with unintentional
 integer overflow

Hi, Jason:

On Thu, 2023-09-07 at 17:14 +0800, Jason-JH.Lin wrote:
> 1. Instead of multiplying 2 variable of different types. Change to
> assign a value of one variable and then multiply the other variable.
> 
> 2. Add a int variable for multiplier calculation instead of
> calculating
> different types multiplier with dma_addr_t variable directly.

Applied. Thanks.

Regards,
CK

> 
> Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@...iatek.com>
> Reviewed-by: Alexandre Mergnat <amergnat@...libre.com>
> Reviewed-by: AngeloGioacchino Del Regno <
> angelogioacchino.delregno@...labora.com>
> ---
> Change in v5:
> Add 'coverity issue' in title and code comments.
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  9 +++++-
>  drivers/gpu/drm/mediatek/mtk_drm_plane.c | 39 ++++++++++++++++++--
> ----
>  2 files changed, 38 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index 9f364df52478..f6632a0fe509 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -121,7 +121,14 @@ int mtk_drm_gem_dumb_create(struct drm_file
> *file_priv, struct drm_device *dev,
>  	int ret;
>  
>  	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> -	args->size = args->pitch * args->height;
> +
> +	/*
> +	 * Multiply 2 variables of different types,
> +	 * for example: args->size = args->spacing * args->height;
> +	 * may cause coverity issue with unintentional overflow.
> +	 */
> +	args->size = args->pitch;
> +	args->size *= args->height;
>  
>  	mtk_gem = mtk_drm_gem_create(dev, args->size, false);
>  	if (IS_ERR(mtk_gem))
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index db2f70ae060d..5acb03b7c6fe 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -141,6 +141,7 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  	dma_addr_t addr;
>  	dma_addr_t hdr_addr = 0;
>  	unsigned int hdr_pitch = 0;
> +	int offset;
>  
>  	gem = fb->obj[0];
>  	mtk_gem = to_mtk_gem_obj(gem);
> @@ -150,8 +151,15 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  	modifier = fb->modifier;
>  
>  	if (modifier == DRM_FORMAT_MOD_LINEAR) {
> -		addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> -		addr += (new_state->src.y1 >> 16) * pitch;
> +		/*
> +		 * Using dma_addr_t variable to calculate with
> multiplier of different types,
> +		 * for example: addr += (new_state->src.x1 >> 16) * fb-
> >format->cpp[0];
> +		 * may cause coverity issue with unintentional
> overflow.
> +		 */
> +		offset = (new_state->src.x1 >> 16) * fb->format-
> >cpp[0];
> +		addr += offset;
> +		offset = (new_state->src.y1 >> 16) * pitch;
> +		addr += offset;
>  	} else {
>  		int width_in_blocks = ALIGN(fb->width,
> AFBC_DATA_BLOCK_WIDTH)
>  				      / AFBC_DATA_BLOCK_WIDTH;
> @@ -159,21 +167,34 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  				       / AFBC_DATA_BLOCK_HEIGHT;
>  		int x_offset_in_blocks = (new_state->src.x1 >> 16) /
> AFBC_DATA_BLOCK_WIDTH;
>  		int y_offset_in_blocks = (new_state->src.y1 >> 16) /
> AFBC_DATA_BLOCK_HEIGHT;
> -		int hdr_size;
> +		int hdr_size, hdr_offset;
>  
>  		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
>  		pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
>  			AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
>  
>  		hdr_size = ALIGN(hdr_pitch * height_in_blocks,
> AFBC_HEADER_ALIGNMENT);
> +		hdr_offset = hdr_pitch * y_offset_in_blocks +
> +			AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> +
> +		/*
> +		 * Using dma_addr_t variable to calculate with
> multiplier of different types,
> +		 * for example: addr += hdr_pitch * y_offset_in_blocks;
> +		 * may cause coverity issue with unintentional
> overflow.
> +		 */
> +		hdr_addr = addr + hdr_offset;
>  
> -		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
> -			   AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
>  		/* The data plane is offset by 1 additional block. */
> -		addr = addr + hdr_size +
> -		       pitch * y_offset_in_blocks +
> -		       AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> -		       fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		offset = pitch * y_offset_in_blocks +
> +			 AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT
> *
> +			 fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +
> +		/*
> +		 * Using dma_addr_t variable to calculate with
> multiplier of different types,
> +		 * for example: addr += pitch * y_offset_in_blocks;
> +		 * may cause coverity issue with unintentional
> overflow.
> +		 */
> +		addr = addr + hdr_size + offset;
>  	}
>  
>  	mtk_plane_state->pending.enable = true;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ