From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>,
coverity-bot <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Olivia Mackall <olivia@selenic.com>,
linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
linux-next@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: Coverity: add_early_randomness(): Integer handling issues
Date: Fri, 18 Nov 2022 09:49:15 +0100 [thread overview]
Message-ID: <90e0cc7f-1cad-bb1f-448f-673dcf25cb15@prevas.dk> (raw)
In-Reply-To: <CAHmME9o_vJL6YstAGutZNzQ30EmWQ5vcYqbeFYoSvPm3CYeXzg@mail.gmail.com>
On 08/11/2022 18.31, Jason A. Donenfeld wrote:
> "If "bytes_read * 8 * rng->quality / 1024" is greater than 0x7FFFFFFF,
> the upper bits of the result will all be 1."
>
> Except "bytes_read" is an int. So false positive.
Well, the automated report could use a better wording, but just from the
types alone there's nothing preventing the "bytes_read * 8 *
rng->quality" expression from mathematically exceeding INT_MAX and thus
potentially becoming a negative value (so technically of course not
greater than 0x7FFFFFFF, but the point being that the sign bit is set),
and then the result of the division will most likely also be negative.
But what actually saves the day is that I suppose bytes_read cannot be
more than 32, so the multiplication is indeed at most 256*U16_MAX. Too
bad we don't have a __postcond(@ret < (int)size) attribute we could put
on functions like rng_get_data() to help static analysis.
Rasmus
prev parent reply other threads:[~2022-11-18 8:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-08 17:29 Coverity: add_early_randomness(): Integer handling issues coverity-bot
2022-11-08 17:31 ` Jason A. Donenfeld
2022-11-18 8:49 ` Rasmus Villemoes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=90e0cc7f-1cad-bb1f-448f-673dcf25cb15@prevas.dk \
--to=rasmus.villemoes@prevas.dk \
--cc=Jason@zx2c4.com \
--cc=gustavo@embeddedor.com \
--cc=herbert@gondor.apana.org.au \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=olivia@selenic.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox