lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250214132910.2611f9cd@pumpkin>
Date: Fri, 14 Feb 2025 13:29:10 +0000
From: David Laight <david.laight.linux@...il.com>
To: Alex Lanzano <lanzano.alex@...il.com>
Cc: Nikita Zhandarovich <n.zhandarovich@...tech.ru>, Noralf Trønnes <noralf@...nnes.org>, Maarten Lankhorst
 <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>,
 Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>,
 Simona Vetter <simona@...ll.ch>, dri-devel@...ts.freedesktop.org,
 linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] drm/repaper: fix integer overflows in repeat functions

On Thu, 13 Feb 2025 20:54:59 -0500
Alex Lanzano <lanzano.alex@...il.com> wrote:

> On Thu, Jan 16, 2025 at 05:48:01AM -0800, Nikita Zhandarovich wrote:
> > There are conditions, albeit somewhat unlikely, under which right hand
> > expressions, calculating the end of time period in functions like
> > repaper_frame_fixed_repeat(), may overflow.
> > 
> > For instance, if 'factor10x' in repaper_get_temperature() is high
> > enough (170), as is 'epd->stage_time' in repaper_probe(), then the
> > resulting value of 'end' will not fit in unsigned int expression.
> > 
> > Mitigate this by casting 'epd->factored_stage_time' to wider type before
> > any multiplication is done.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with static
> > analysis tool SVACE.
> > 
> > Fixes: 3589211e9b03 ("drm/tinydrm: Add RePaper e-ink driver")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
> > ---
> >  drivers/gpu/drm/tiny/repaper.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/tiny/repaper.c b/drivers/gpu/drm/tiny/repaper.c
> > index 77944eb17b3c..d76c0e8e05f5 100644
> > --- a/drivers/gpu/drm/tiny/repaper.c
> > +++ b/drivers/gpu/drm/tiny/repaper.c
> > @@ -456,7 +456,7 @@ static void repaper_frame_fixed_repeat(struct repaper_epd *epd, u8 fixed_value,
> >  				       enum repaper_stage stage)
> >  {
> >  	u64 start = local_clock();
> > -	u64 end = start + (epd->factored_stage_time * 1000 * 1000);
> > +	u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
> >  
> >  	do {
> >  		repaper_frame_fixed(epd, fixed_value, stage);
> > @@ -467,7 +467,7 @@ static void repaper_frame_data_repeat(struct repaper_epd *epd, const u8 *image,
> >  				      const u8 *mask, enum repaper_stage stage)
> >  {
> >  	u64 start = local_clock();
> > -	u64 end = start + (epd->factored_stage_time * 1000 * 1000);
> > +	u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
> >  
> >  	do {
> >  		repaper_frame_data(epd, image, mask, stage);  
> 
> It might be best to change the underlying type in the struct instead of
> type casting

That'll just make people think there is a different overflow.
It'd also force the compiler to use a wider multiply.

A more subtle approach is to change the type of the first 1000 to 1000ull.

Personally I like to see the units on variables containing times (x_s, _ms, _ns)
since it makes off-by-1000 errors less likely and you can more easily tell
whether overflow if likely.

	David 

> 
> Best regards,
> Alex
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ