lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250613112210.22731-4-demonsingur@gmail.com>
Date: Fri, 13 Jun 2025 14:21:53 +0300
From: Cosmin Tanislav <demonsingur@...il.com>
To: 
Cc: Sean Young <sean@...s.org>,
	Mauro Carvalho Chehab <mchehab@...nel.org>,
	linux-media@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Cosmin Tanislav <demonsingur@...il.com>
Subject: [PATCH v5 3/3] media: rc: ir-spi: avoid overflow in multiplication

Switch to u64 arithmetic and use DIV_ROUND_CLOSEST_ULL() to avoid
the overflow.

buffer[i] is unsigned int and is limited by the lirc core to
IR_MAX_DURATION, which is 500000.

idata->freq is u32, which has a max value of 0xFFFFFFFF.

In the case where buffer[i] is 500000, idata->freq overflows the u32
multiplication for any values >= 8590.

0xFFFFFFFF / 500000 ~= 8589

By casting buffer[i] to u64, idata->freq can be any u32 value without
overflowing the multiplication.

0xFFFFFFFFFFFFFFFF / 500000 ~= 36893488147419 (> 4294967295)

The result of the final operation will fit back into the unsigned int
limits without any issues.

500000 * 0xFFFFFFFF / 1000000 = 0x80000000 (< 0xFFFFFFFF)

Signed-off-by: Cosmin Tanislav <demonsingur@...il.com>
---
 drivers/media/rc/ir-spi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/rc/ir-spi.c b/drivers/media/rc/ir-spi.c
index 0b54ad74cec0..392441e0c116 100644
--- a/drivers/media/rc/ir-spi.c
+++ b/drivers/media/rc/ir-spi.c
@@ -46,7 +46,8 @@ static int ir_spi_tx(struct rc_dev *dev, unsigned int *buffer, unsigned int coun
 
 	/* convert the pulse/space signal to raw binary signal */
 	for (i = 0; i < count; i++) {
-		buffer[i] = DIV_ROUND_CLOSEST(buffer[i] * idata->freq, 1000000);
+		buffer[i] = DIV_ROUND_CLOSEST_ULL((u64)buffer[i] * idata->freq,
+						  1000000);
 		len += buffer[i];
 	}
 
-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ