lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a08cd653-2b2b-4b50-a1eb-0e13be4c946f@xs4all.nl>
Date: Wed, 16 Oct 2024 12:40:07 +0200
From: Hans Verkuil <hverkuil@...all.nl>
To: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
Cc: linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
 stable@...r.kernel.org
Subject: Re: [PATCH 13/13] media: pulse8-cec: fix data timestamp at
 pulse8_setup()

On 16/10/2024 12:22, Mauro Carvalho Chehab wrote:
> There is a hidden overflow condition there. As date is signed
> and u8 is unsigned, doing:
> 
> 	date = (data[0] << 24)
> 
> With a value bigger than 07f will make all upper bits of date
> 0xffffffff. This can be demonstrated with this small code:
> 
> <code>
> 
> typedef int64_t time64_t;
> typedef uint8_t u8;
> 
> int main(void)
> {
> 	u8 data[] = { 0xde ,0xad , 0xbe, 0xef };
> 	time64_t date;
> 
> 	date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
> 	printf("Invalid data = 0x%08lx\n", date);
> 
> 	date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
> 	printf("Expected data = 0x%08lx\n", date);
> 
> 	return 0;
> }
> </code>
> 
> Fix it by converting the upper bit calculation to unsigned.
> 
> Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order")
> Cc: stable@...r.kernel.org

Not a fix either, just an improvement. The worst that can happen is that in 2038
the wrong date is shown, provided they release new firmware for this device in
that year :-)

Regards,

	Hans

> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
> ---
>  drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/cec/usb/pulse8/pulse8-cec.c b/drivers/media/cec/usb/pulse8/pulse8-cec.c
> index ba67587bd43e..171366fe3544 100644
> --- a/drivers/media/cec/usb/pulse8/pulse8-cec.c
> +++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c
> @@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *pulse8, struct serio *serio,
>  	err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4);
>  	if (err)
>  		return err;
> -	date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
> +	date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
>  	dev_info(pulse8->dev, "Firmware build date %ptT\n", &date);
>  
>  	dev_dbg(pulse8->dev, "Persistent config:\n");

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ