lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAA8EJpog5yn5kiabJOZRipTx--onH9cepPe0dD4nA=Hm0aZS+g@mail.gmail.com>
Date: Sat, 27 Apr 2024 04:44:33 +0300
From: Dmitry Baryshkov <dmitry.baryshkov@...aro.org>
To: Douglas Anderson <dianders@...omium.org>
Cc: dri-devel@...ts.freedesktop.org, Linus Walleij <linus.walleij@...aro.org>, 
	lvzhaoxiong@...qin.corp-partner.google.com, 
	Jani Nikula <jani.nikula@...ux.intel.com>, Hsin-Yi Wang <hsinyi@...gle.com>, 
	Javier Martinez Canillas <javierm@...hat.com>, Neil Armstrong <neil.armstrong@...aro.org>, 
	Joel Selvaraj <jo@...amily.in>, Cong Yang <yangcong5@...qin.corp-partner.google.com>, 
	Sam Ravnborg <sam@...nborg.org>, Daniel Vetter <daniel@...ll.ch>, David Airlie <airlied@...il.com>, 
	Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>, 
	Thomas Zimmermann <tzimmermann@...e.de>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/8] drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq()

On Sat, 27 Apr 2024 at 02:59, Douglas Anderson <dianders@...omium.org> wrote:
>
> The mipi_dsi_dcs_write_seq() macro makes a call to
> mipi_dsi_dcs_write_buffer() which returns a type ssize_t. The macro
> then stores it in an int and checks to see if it's negative. This
> could theoretically be a problem if "ssize_t" is larger than "int".
>
> To see the issue, imagine that "ssize_t" is 32-bits and "int" is
> 16-bits, you could see a problem if there was some code out there that
> looked like:
>
>   mipi_dsi_dcs_write_seq(dsi, cmd, <32767 bytes as arguments>);
>
> ...since we'd get back that 32768 bytes were transferred and 32768
> stored in a 16-bit int would look negative.
>
> Though there are no callsites where we'd actually hit this (even if
> "int" was only 16-bit), it's cleaner to make the types match so let's
> fix it.
>
> Fixes: 2a9e9daf7523 ("drm/mipi-dsi: Introduce mipi_dsi_dcs_write_seq macro")
> Signed-off-by: Douglas Anderson <dianders@...omium.org>
> ---
>
> Changes in v2:
> - New
>
>  include/drm/drm_mipi_dsi.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
> index 82b1cc434ea3..b3576be22bfa 100644
> --- a/include/drm/drm_mipi_dsi.h
> +++ b/include/drm/drm_mipi_dsi.h
> @@ -337,12 +337,12 @@ int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
>         do {                                                               \
>                 static const u8 d[] = { cmd, seq };                        \
>                 struct device *dev = &dsi->dev;                            \
> -               int ret;                                                   \
> +               ssize_t ret;                                               \
>                 ret = mipi_dsi_dcs_write_buffer(dsi, d, ARRAY_SIZE(d));    \
>                 if (ret < 0) {                                             \
>                         dev_err_ratelimited(                               \
>                                 dev, "sending command %#02x failed: %d\n", \
> -                               cmd, ret);                                 \
> +                               cmd, (int)ret);                            \

Please consider using %zd instead

>                         return ret;                                        \
>                 }                                                          \
>         } while (0)
> --
> 2.44.0.769.g3c40516874-goog
>


-- 
With best wishes
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ