| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 27 Apr 2024 08:22:02 +0200
From: Sam Ravnborg <sam@...nborg.org>
To: Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
Douglas Anderson <dianders@...omium.org>
Cc: Douglas Anderson <dianders@...omium.org>,
dri-devel@...ts.freedesktop.org,
Linus Walleij <linus.walleij@...aro.org>,
lvzhaoxiong@...qin.corp-partner.google.com,
Jani Nikula <jani.nikula@...ux.intel.com>,
Hsin-Yi Wang <hsinyi@...gle.com>,
Javier Martinez Canillas <javierm@...hat.com>,
Neil Armstrong <neil.armstrong@...aro.org>,
Joel Selvaraj <jo@...amily.in>,
Cong Yang <yangcong5@...qin.corp-partner.google.com>,
Daniel Vetter <daniel@...ll.ch>, David Airlie <airlied@...il.com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/8] drm/mipi-dsi: Fix theoretical int overflow in
mipi_dsi_dcs_write_seq()
On Sat, Apr 27, 2024 at 04:44:33AM +0300, Dmitry Baryshkov wrote:
> On Sat, 27 Apr 2024 at 02:59, Douglas Anderson <dianders@...omium.org> wrote:
> >
> > The mipi_dsi_dcs_write_seq() macro makes a call to
> > mipi_dsi_dcs_write_buffer() which returns a type ssize_t. The macro
> > then stores it in an int and checks to see if it's negative. This
> > could theoretically be a problem if "ssize_t" is larger than "int".
> >
> > To see the issue, imagine that "ssize_t" is 32-bits and "int" is
> > 16-bits, you could see a problem if there was some code out there that
> > looked like:
> >
> > mipi_dsi_dcs_write_seq(dsi, cmd, <32767 bytes as arguments>);
> >
> > ...since we'd get back that 32768 bytes were transferred and 32768
> > stored in a 16-bit int would look negative.
> >
> > Though there are no callsites where we'd actually hit this (even if
> > "int" was only 16-bit), it's cleaner to make the types match so let's
> > fix it.
> >
> > Fixes: 2a9e9daf7523 ("drm/mipi-dsi: Introduce mipi_dsi_dcs_write_seq macro")
> > Signed-off-by: Douglas Anderson <dianders@...omium.org>
> > ---
> >
> > Changes in v2:
> > - New
> >
> > include/drm/drm_mipi_dsi.h | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
> > index 82b1cc434ea3..b3576be22bfa 100644
> > --- a/include/drm/drm_mipi_dsi.h
> > +++ b/include/drm/drm_mipi_dsi.h
> > @@ -337,12 +337,12 @@ int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
> > do { \
> > static const u8 d[] = { cmd, seq }; \
> > struct device *dev = &dsi->dev; \
> > - int ret; \
> > + ssize_t ret; \
> > ret = mipi_dsi_dcs_write_buffer(dsi, d, ARRAY_SIZE(d)); \
> > if (ret < 0) { \
> > dev_err_ratelimited( \
> > dev, "sending command %#02x failed: %d\n", \
> > - cmd, ret); \
> > + cmd, (int)ret); \
>
> Please consider using %zd instead
Hi Douglas,
please consider the above for all the pathces, there are more places
where a cast can be dropped.
Sam
Powered by blists - more mailing lists