Re: [PATCH 8/8] platform: vivid-cec: fix potential integer overflow in vivid_cec_pin_adap_events

From: Gustavo A. R. Silva
Date: Tue Jan 30 2018 - 05:55:51 EST



Quoting Hans Verkuil <hverkuil@xxxxxxxxx>:

On 01/30/2018 09:51 AM, Gustavo A. R. Silva wrote:
Hi Hans,

Quoting Hans Verkuil <hverkuil@xxxxxxxxx>:

Hi Gustavo,

On 01/30/2018 01:33 AM, Gustavo A. R. Silva wrote:
Cast len to const u64 in order to avoid a potential integer
overflow. This variable is being used in a context that expects
an expression of type const u64.

Addresses-Coverity-ID: 1454996 ("Unintentional integer overflow")
Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx>
---
drivers/media/platform/vivid/vivid-cec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/vivid/vivid-cec.c
b/drivers/media/platform/vivid/vivid-cec.c
index b55d278..30240ab 100644
--- a/drivers/media/platform/vivid/vivid-cec.c
+++ b/drivers/media/platform/vivid/vivid-cec.c
@@ -83,7 +83,7 @@ static void vivid_cec_pin_adap_events(struct
cec_adapter *adap, ktime_t ts,
if (adap == NULL)
return;
ts = ktime_sub_us(ts, (CEC_TIM_START_BIT_TOTAL +
- len * 10 * CEC_TIM_DATA_BIT_TOTAL));
+ (const u64)len * 10 * CEC_TIM_DATA_BIT_TOTAL));

This makes no sense. Certainly the const part is pointless. And given that
len is always <= 16 there definitely is no overflow.


Yeah, I understand your point and I know there is no chance of an
overflow in this particular case.

I don't really want this cast in the code.

Sorry,


I'm working through all the Linux kernel Coverity reports, and I
thought of sending a patch for this because IMHO it doesn't hurt to
give the compiler complete information about the arithmetic in which
an expression is intended to be evaluated.

I agree that the _const_ part is a bit odd. What do you think about
the cast to u64 alone?

What happens if you do: ((u64)CEC_TIM_START_BIT_TOTAL +

I think that forces everything else in the expression to be evaluated
as u64.


Well, in this case the operator precedence takes place and the expression len * 10 * CEC_TIM_DATA_BIT_TOTAL is computed first. So the issue remains the same.

I can switch the expressions as follows:

(u64)len * 10 * CEC_TIM_DATA_BIT_TOTAL + CEC_TIM_START_BIT_TOTAL

and avoid the cast in the middle.

What do you think?

It definitely needs a comment that this fixes a bogus Coverity report.


I actually added the following line to the message changelog:
Addresses-Coverity-ID: 1454996 ("Unintentional integer overflow")

Certainly, I've run across multiple false positives as in this case, but I have also fixed many actual bugs thanks to the Coverity reports. So I think in general it is valuable to take a look into these reports, either if they spot actual bugs or promote code correctness.

Thanks
--
Gustavo