lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240426165839.v2.2.Iadb65b8add19ed3ae3ed6425011beb97e380a912@changeid>
Date: Fri, 26 Apr 2024 16:58:35 -0700
From: Douglas Anderson <dianders@...omium.org>
To: dri-devel@...ts.freedesktop.org
Cc: Linus Walleij <linus.walleij@...aro.org>,
	lvzhaoxiong@...qin.corp-partner.google.com,
	Jani Nikula <jani.nikula@...ux.intel.com>,
	Hsin-Yi Wang <hsinyi@...gle.com>,
	Javier Martinez Canillas <javierm@...hat.com>,
	Neil Armstrong <neil.armstrong@...aro.org>,
	Joel Selvaraj <jo@...amily.in>,
	Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
	Cong Yang <yangcong5@...qin.corp-partner.google.com>,
	Sam Ravnborg <sam@...nborg.org>,
	Douglas Anderson <dianders@...omium.org>,
	Daniel Vetter <daniel@...ll.ch>,
	David Airlie <airlied@...il.com>,
	Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
	Maxime Ripard <mripard@...nel.org>,
	Thomas Zimmermann <tzimmermann@...e.de>,
	linux-kernel@...r.kernel.org
Subject: [PATCH v2 2/8] drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq()

The mipi_dsi_generic_write_seq() macro makes a call to
mipi_dsi_generic_write() which returns a type ssize_t. The macro then
stores it in an int and checks to see if it's negative. This could
theoretically be a problem if "ssize_t" is larger than "int".

To see the issue, imagine that "ssize_t" is 32-bits and "int" is
16-bits, you could see a problem if there was some code out there that
looked like:

  mipi_dsi_generic_write_seq(dsi, <32768 bytes as arguments>);

..since we'd get back that 32768 bytes were transferred and 32768
stored in a 16-bit int would look negative.

Though there are no callsites where we'd actually hit this (even if
"int" was only 16-bit), it's cleaner to make the types match so let's
fix it.

Fixes: a9015ce59320 ("drm/mipi-dsi: Add a mipi_dsi_dcs_write_seq() macro")
Signed-off-by: Douglas Anderson <dianders@...omium.org>
---

Changes in v2:
- New

 include/drm/drm_mipi_dsi.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
index b3576be22bfa..5de2bd62448b 100644
--- a/include/drm/drm_mipi_dsi.h
+++ b/include/drm/drm_mipi_dsi.h
@@ -318,11 +318,11 @@ int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
 	do {                                                                   \
 		static const u8 d[] = { seq };                                 \
 		struct device *dev = &dsi->dev;                                \
-		int ret;                                                       \
+		ssize_t ret;                                                   \
 		ret = mipi_dsi_generic_write(dsi, d, ARRAY_SIZE(d));           \
 		if (ret < 0) {                                                 \
 			dev_err_ratelimited(dev, "transmit data failed: %d\n", \
-					    ret);                              \
+					    (int)ret);                         \
 			return ret;                                            \
 		}                                                              \
 	} while (0)
-- 
2.44.0.769.g3c40516874-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ