lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f9adb530-89e6-40f4-af00-c6b407908817@linaro.org>
Date: Thu, 2 May 2024 09:26:56 +0200
From: Neil Armstrong <neil.armstrong@...aro.org>
To: Douglas Anderson <dianders@...omium.org>, dri-devel@...ts.freedesktop.org
Cc: Linus Walleij <linus.walleij@...aro.org>,
 Jani Nikula <jani.nikula@...ux.intel.com>,
 Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
 Cong Yang <yangcong5@...qin.corp-partner.google.com>,
 Hsin-Yi Wang <hsinyi@...gle.com>, Brian Norris <briannorris@...omium.org>,
 Sam Ravnborg <sam@...nborg.org>,
 Javier Martinez Canillas <javierm@...hat.com>, Joel Selvaraj
 <jo@...amily.in>, lvzhaoxiong@...qin.corp-partner.google.com,
 Daniel Vetter <daniel@...ll.ch>, David Airlie <airlied@...il.com>,
 Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
 Maxime Ripard <mripard@...nel.org>, Thomas Zimmermann <tzimmermann@...e.de>,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/9] drm/mipi-dsi: Fix theoretical int overflow in
 mipi_dsi_generic_write_seq()

On 01/05/2024 17:41, Douglas Anderson wrote:
> The mipi_dsi_generic_write_seq() macro makes a call to
> mipi_dsi_generic_write() which returns a type ssize_t. The macro then
> stores it in an int and checks to see if it's negative. This could
> theoretically be a problem if "ssize_t" is larger than "int".
> 
> To see the issue, imagine that "ssize_t" is 32-bits and "int" is
> 16-bits, you could see a problem if there was some code out there that
> looked like:
> 
>    mipi_dsi_generic_write_seq(dsi, <32768 bytes as arguments>);
> 
> ...since we'd get back that 32768 bytes were transferred and 32768
> stored in a 16-bit int would look negative.
> 
> Though there are no callsites where we'd actually hit this (even if
> "int" was only 16-bit), it's cleaner to make the types match so let's
> fix it.
> 
> Fixes: a9015ce59320 ("drm/mipi-dsi: Add a mipi_dsi_dcs_write_seq() macro")
> Signed-off-by: Douglas Anderson <dianders@...omium.org>
> ---
> 
> Changes in v3:
> - Use %zd in print instead of casting errors to int.
> 
> Changes in v2:
> - New
> 
>   include/drm/drm_mipi_dsi.h | 22 +++++++++++-----------
>   1 file changed, 11 insertions(+), 11 deletions(-)
> 
> diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
> index 70ce0b8cbc68..e0f56564bf97 100644
> --- a/include/drm/drm_mipi_dsi.h
> +++ b/include/drm/drm_mipi_dsi.h
> @@ -314,17 +314,17 @@ int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
>    * @dsi: DSI peripheral device
>    * @seq: buffer containing the payload
>    */
> -#define mipi_dsi_generic_write_seq(dsi, seq...)                                \
> -	do {                                                                   \
> -		static const u8 d[] = { seq };                                 \
> -		struct device *dev = &dsi->dev;                                \
> -		int ret;                                                       \
> -		ret = mipi_dsi_generic_write(dsi, d, ARRAY_SIZE(d));           \
> -		if (ret < 0) {                                                 \
> -			dev_err_ratelimited(dev, "transmit data failed: %d\n", \
> -					    ret);                              \
> -			return ret;                                            \
> -		}                                                              \
> +#define mipi_dsi_generic_write_seq(dsi, seq...)                                 \
> +	do {                                                                    \
> +		static const u8 d[] = { seq };                                  \
> +		struct device *dev = &dsi->dev;                                 \
> +		ssize_t ret;                                                    \
> +		ret = mipi_dsi_generic_write(dsi, d, ARRAY_SIZE(d));            \
> +		if (ret < 0) {                                                  \
> +			dev_err_ratelimited(dev, "transmit data failed: %zd\n", \
> +					    ret);                               \
> +			return ret;                                             \
> +		}                                                               \
>   	} while (0)
>   
>   /**

Reviewed-by: Neil Armstrong <neil.armstrong@...aro.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ