lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87o7jrw1nr.fsf@intel.com>
Date: Tue, 01 Aug 2023 12:30:00 +0300
From: Jani Nikula <jani.nikula@...ux.intel.com>
To: Ziqi Zhao <astrajoan@...oo.com>, astrajoan@...oo.com, airlied@...il.com,
 daniel@...ll.ch, dri-devel@...ts.freedesktop.org,
 ivan.orlov0322@...il.com, maarten.lankhorst@...ux.intel.com,
 mripard@...nel.org, skhan@...uxfoundation.org, tzimmermann@...e.de
Cc: netdev@...r.kernel.org, dsahern@...nel.org,
 syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org,
 edumazet@...gle.com, jiri@...dia.com, jacob.e.keller@...el.com,
 kuba@...nel.org, pabeni@...hat.com, davem@...emloft.net,
 syzbot+622bba18029bcde672e1@...kaller.appspotmail.com
Subject: Re: [PATCH] drm/modes: Fix division by zero error

On Fri, 21 Jul 2023, Ziqi Zhao <astrajoan@...oo.com> wrote:
> In the bug reported by Syzbot, the variable `den == (1 << 22)` and
> `mode->vscan == (1 << 10)`, causing the multiplication to overflow and
> accidentally make `den == 0`. To prevent any chance of overflow, we
> replace `num` and `den` with 64-bit unsigned integers, and explicitly
> check if the divisor `den` will overflow. If so, we employ full 64-bit
> division with rounding; otherwise we keep the 64-bit to 32-bit division
> that could potentially be better optimized.
>
> In order to minimize the performance overhead, the overflow check for
> `den` is wrapped with an `unlikely` condition. Please let me know if
> this usage is appropriate.
>
> Reported-by: syzbot+622bba18029bcde672e1@...kaller.appspotmail.com
> Signed-off-by: Ziqi Zhao <astrajoan@...oo.com>
> ---
>  drivers/gpu/drm/drm_modes.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
> index ac9a406250c5..aa98bd7b8bc9 100644
> --- a/drivers/gpu/drm/drm_modes.c
> +++ b/drivers/gpu/drm/drm_modes.c
> @@ -1285,13 +1285,13 @@ EXPORT_SYMBOL(drm_mode_set_name);
>   */
>  int drm_mode_vrefresh(const struct drm_display_mode *mode)
>  {
> -	unsigned int num, den;
> +	unsigned long long num, den;

I think making them u64 would be more clear.

>  
>  	if (mode->htotal == 0 || mode->vtotal == 0)
>  		return 0;
>  
> -	num = mode->clock;
> -	den = mode->htotal * mode->vtotal;
> +	num = mul_u32_u32(mode->clock, 1000);
> +	den = mul_u32_u32(mode->htotal, mode->vtotal);
>  
>  	if (mode->flags & DRM_MODE_FLAG_INTERLACE)
>  		num *= 2;
> @@ -1300,7 +1300,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
>  	if (mode->vscan > 1)
>  		den *= mode->vscan;
>  
> -	return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> +	if (unlikely(den >> 32))

More intuitively, den > UINT_MAX.

> +		return div64_u64(num + (den >> 1), den);

More intuitively, DIV64_U64_ROUND_CLOSEST(num, den).

> +	else

The else after a branch with return is unnecessary. Someone's going to
send a patch to remove it later if you leave it in.

BR,
Jani.

> +		return DIV_ROUND_CLOSEST_ULL(num, (unsigned int) den);
>  }
>  EXPORT_SYMBOL(drm_mode_vrefresh);

-- 
Jani Nikula, Intel Open Source Graphics Center

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ