| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250121061746.2730572-1-linux@roeck-us.net>
Date: Mon, 20 Jan 2025 22:17:46 -0800
From: Guenter Roeck <linux@...ck-us.net>
To: Jani Nikula <jani.nikula@...ux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@...el.com>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Tvrtko Ursulin <tursulin@...ulin.net>,
David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>,
intel-gfx@...ts.freedesktop.org,
intel-xe@...ts.freedesktop.org,
dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
Guenter Roeck <linux@...ck-us.net>,
Linus Torvalds <torvalds@...ux-foundation.org>,
David Laight <david.laight.linux@...il.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Subject: [PATCH] drm/i915/backlight: Return immediately when scale() finds invalid parameters
The scale() functions detects invalid parameters, but continues
its calculations anyway. This causes bad results if negative values
are used for unsigned operations. Worst case, a division by 0 error
will be seen if source_min == source_max.
On top of that, after v6.13, the sequence of WARN_ON() followed by clamp()
may result in a build error with gcc 13.x.
drivers/gpu/drm/i915/display/intel_backlight.c: In function 'scale':
include/linux/compiler_types.h:542:45: error:
call to '__compiletime_assert_415' declared with attribute error:
clamp() low limit source_min greater than high limit source_max
This happens if the compiler decides to rearrange the code as follows.
if (source_min > source_max) {
WARN(..);
/* Do the clamp() knowing that source_min > source_max */
source_val = clamp(source_val, source_min, source_max);
} else {
/* Do the clamp knowing that source_min <= source_max */
source_val = clamp(source_val, source_min, source_max);
}
Fix the problem by evaluating the return values from WARN_ON and returning
immediately after a warning. While at it, fix divide by zero error seen
if source_min == source_max.
Analyzed-by: Linus Torvalds <torvalds@...ux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
Suggested-by: David Laight <david.laight.linux@...il.com>
Cc: David Laight <david.laight.linux@...il.com>
Cc: Jani Nikula <jani.nikula@...ux.intel.com>
Cc: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Signed-off-by: Guenter Roeck <linux@...ck-us.net>
---
drivers/gpu/drm/i915/display/intel_backlight.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/intel_backlight.c b/drivers/gpu/drm/i915/display/intel_backlight.c
index 3f81a726cc7d..ad49bd4a1c12 100644
--- a/drivers/gpu/drm/i915/display/intel_backlight.c
+++ b/drivers/gpu/drm/i915/display/intel_backlight.c
@@ -40,8 +40,11 @@ static u32 scale(u32 source_val,
{
u64 target_val;
- WARN_ON(source_min > source_max);
- WARN_ON(target_min > target_max);
+ if (WARN_ON(target_min > target_max))
+ return target_min;
+
+ if (WARN_ON(source_min > source_max) || source_min == source_max)
+ return target_min + (target_max - target_min) / 2;
/* defensive */
source_val = clamp(source_val, source_min, source_max);
--
2.45.2
Powered by blists - more mailing lists