| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251208111641.4160-1-bigalex934@gmail.com>
Date: Mon, 8 Dec 2025 14:16:41 +0300
From: Alexey Simakov <bigalex934@...il.com>
To: Gerd Hoffmann <kraxel@...hat.com>
Cc: Alexey Simakov <bigalex934@...il.com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>,
Dave Airlie <airlied@...hat.com>,
virtualization@...ts.linux.dev,
dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH] drm/bochs: avoid sign extension in video memory size
When bochs_dispi_read() returns a value in the 0x8000–0xFFFF range,
the expression bochs_dispi_read() * 64 * 1024 is computed in signed
int and then promoted to unsigned long, which can lead to
int -> unsigned long sign extension.
Cast the multipliers to unsigned long so that the multiplication is
done in unsigned long and covers the full range of the DISPI video
memory register without sign extension.
The QEMU stdvga device using the bochs dispi interface exposes video
memory up to 256 MB, so this change is made against malicious or
out-of-spec return values from the device.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: 0a6659bdc5e8 ("drm/bochs: new driver")
Signed-off-by: Alexey Simakov <bigalex934@...il.com>
---
drivers/gpu/drm/tiny/bochs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tiny/bochs.c b/drivers/gpu/drm/tiny/bochs.c
index d2d5e9f1269f..943bceadd2f4 100644
--- a/drivers/gpu/drm/tiny/bochs.c
+++ b/drivers/gpu/drm/tiny/bochs.c
@@ -258,7 +258,7 @@ static int bochs_hw_init(struct bochs_device *bochs)
id = bochs_dispi_read(bochs, VBE_DISPI_INDEX_ID);
mem = bochs_dispi_read(bochs, VBE_DISPI_INDEX_VIDEO_MEMORY_64K)
- * 64 * 1024;
+ * 64UL * 1024UL;
if ((id & 0xfff0) != VBE_DISPI_ID0) {
DRM_ERROR("ID mismatch\n");
return -ENODEV;
--
2.34.1
Powered by blists - more mailing lists