From: Dan Carpenter <dan.carpenter@oracle.com>
To: Colin King <colin.king@canonical.com>
Cc: Antti Palosaari <crope@iki.fi>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] media: tda10071: fix unsigned sign extension overflow
Date: Mon, 10 Feb 2020 14:41:11 +0000 [thread overview]
Message-ID: <20200210144110.GA1778@kadam> (raw)
In-Reply-To: <20200210142646.431957-1-colin.king@canonical.com>
On Mon, Feb 10, 2020 at 02:26:46PM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> The shifting of buf[3] by 24 bits to the left will be promoted to
> a 32 bit signed int and then sign-extended to an unsigned long. In
> the unlikely event that the the top bit of buf[3] is set then all
> then all the upper bits end up as also being set because of
> the sign-extension and this affect the ev->post_bit_error sum.
> Fix this by using the temporary u32 variable bit_error to avoid
> the sign-extension promotion. This also removes the need to do the
> computation twice.
>
> Addresses-Coverity: ("Unintended sign extension")
> Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/media/dvb-frontends/tda10071.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
> index 1953b00b3e48..685c0ac71819 100644
> --- a/drivers/media/dvb-frontends/tda10071.c
> +++ b/drivers/media/dvb-frontends/tda10071.c
> @@ -470,10 +470,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status)
> goto error;
>
> if (dev->delivery_system = SYS_DVBS) {
> - dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 |
> - buf[2] << 8 | buf[3] << 0;
> - dev->post_bit_error += buf[0] << 24 | buf[1] << 16 |
> - buf[2] << 8 | buf[3] << 0;
> + u32 bit_error = buf[0] << 24 | buf[1] << 16 |
> + buf[2] << 8 | buf[3] << 0;
This driver has a bunch of endian conversions (probably from big endian
to little endian) and so it's probably buggy on big endian CPUs.
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Colin King <colin.king@canonical.com>
Cc: Antti Palosaari <crope@iki.fi>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] media: tda10071: fix unsigned sign extension overflow
Date: Mon, 10 Feb 2020 17:41:11 +0300 [thread overview]
Message-ID: <20200210144110.GA1778@kadam> (raw)
In-Reply-To: <20200210142646.431957-1-colin.king@canonical.com>
On Mon, Feb 10, 2020 at 02:26:46PM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> The shifting of buf[3] by 24 bits to the left will be promoted to
> a 32 bit signed int and then sign-extended to an unsigned long. In
> the unlikely event that the the top bit of buf[3] is set then all
> then all the upper bits end up as also being set because of
> the sign-extension and this affect the ev->post_bit_error sum.
> Fix this by using the temporary u32 variable bit_error to avoid
> the sign-extension promotion. This also removes the need to do the
> computation twice.
>
> Addresses-Coverity: ("Unintended sign extension")
> Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/media/dvb-frontends/tda10071.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
> index 1953b00b3e48..685c0ac71819 100644
> --- a/drivers/media/dvb-frontends/tda10071.c
> +++ b/drivers/media/dvb-frontends/tda10071.c
> @@ -470,10 +470,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status)
> goto error;
>
> if (dev->delivery_system == SYS_DVBS) {
> - dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 |
> - buf[2] << 8 | buf[3] << 0;
> - dev->post_bit_error += buf[0] << 24 | buf[1] << 16 |
> - buf[2] << 8 | buf[3] << 0;
> + u32 bit_error = buf[0] << 24 | buf[1] << 16 |
> + buf[2] << 8 | buf[3] << 0;
This driver has a bunch of endian conversions (probably from big endian
to little endian) and so it's probably buggy on big endian CPUs.
regards,
dan carpenter
next prev parent reply other threads:[~2020-02-10 14:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-10 14:26 [PATCH] media: tda10071: fix unsigned sign extension overflow Colin King
2020-02-10 14:26 ` Colin King
2020-02-10 14:41 ` Dan Carpenter [this message]
2020-02-10 14:41 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200210144110.GA1778@kadam \
--to=dan.carpenter@oracle.com \
--cc=colin.king@canonical.com \
--cc=crope@iki.fi \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.