| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250923131219.163463-1-mdmitrichenko@astralinux.ru>
Date: Tue, 23 Sep 2025 16:12:20 +0300
From: Mikhail Dmitrichenko <mdmitrichenko@...ralinux.ru>
To: Michael Turquette <mturquette@...libre.com>
Cc: Mikhail Dmitrichenko <mdmitrichenko@...ralinux.ru>,
Stephen Boyd <sboyd@...nel.org>,
Florian Fainelli <florian.fainelli@...adcom.com>,
Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com>,
Ray Jui <rjui@...adcom.com>,
Scott Branden <sbranden@...adcom.com>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Brian Masney <bmasney@...hat.com>,
Eric Anholt <eric@...olt.net>,
linux-clk@...r.kernel.org,
linux-rpi-kernel@...ts.infradead.org,
linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH] clk: bcm: fix potential int overflow in bcm2835_measure_tcnt_mux
If the value in CM_TCNTCNT is close to 2^24 (24 is the width of
CM_TCNTCNT), then multiplication (count * 1000) will lead to integer
overflow.
Make bcm2835_measure_tcnt_mux return a u64 value instead of an unsigned
long and cast count to u64 before multiplying it by 1000 to avoid
overflow. Also correct the format string at bcm2835_clock_on for showing
debug data, which includes the bcm2835_measure_tcnt_mux call result.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 3f9195811d8d ("clk: bcm2835: Add leaf clock measurement support, disabled by default")
Signed-off-by: Mikhail Dmitrichenko <mdmitrichenko@...ralinux.ru>
---
drivers/clk/bcm/clk-bcm2835.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
index 02215ea79403..9ffef2b0e820 100644
--- a/drivers/clk/bcm/clk-bcm2835.c
+++ b/drivers/clk/bcm/clk-bcm2835.c
@@ -345,7 +345,7 @@ static inline u32 cprman_read(struct bcm2835_cprman *cprman, u32 reg)
/* Does a cycle of measuring a clock through the TCNT clock, which may
* source from many other clocks in the system.
*/
-static unsigned long bcm2835_measure_tcnt_mux(struct bcm2835_cprman *cprman,
+static u64 bcm2835_measure_tcnt_mux(struct bcm2835_cprman *cprman,
u32 tcnt_mux)
{
u32 osccount = 19200; /* 1ms */
@@ -394,7 +394,7 @@ static unsigned long bcm2835_measure_tcnt_mux(struct bcm2835_cprman *cprman,
out:
spin_unlock(&cprman->regs_lock);
- return count * 1000;
+ return (u64)count * 1000;
}
static void bcm2835_debugfs_regset(struct bcm2835_cprman *cprman, u32 base,
@@ -1093,7 +1093,7 @@ static int bcm2835_clock_on(struct clk_hw *hw)
*/
if (data->tcnt_mux && false) {
dev_info(cprman->dev,
- "clk %s: rate %ld, measure %ld\n",
+ "clk %s: rate %ld, measure %llu\n",
data->name,
clk_hw_get_rate(hw),
bcm2835_measure_tcnt_mux(cprman, data->tcnt_mux));
--
2.39.2
Powered by blists - more mailing lists