LinuxLists.cc - [PATCH][next] can: usb: fix potential integer overflow on shift of a int

2020-11-05 11:28:43

Subject: [PATCH][next] can: usb: fix potential integer overflow on shift of a int

From: Colin Ian King <[email protected]>

The left shift of int 32 bit integer constant 1 is evaluated using
32 bit arithmetic and then assigned to a signed 64 bit variable. In
the case where time_ref->adapter->ts_used_bits is 32 or more this
can lead to an oveflow. Avoid this by shifting using the BIT_ULL macro
instead.

Addresses-Coverity: ("Unintentional integer overflow")
Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
Signed-off-by: Colin Ian King <[email protected]>
---
drivers/net/can/usb/peak_usb/pcan_usb_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
index c2764799f9ef..204ccb27d6d9 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
@@ -156,7 +156,7 @@ void peak_usb_get_ts_time(struct peak_time_ref *time_ref, u32 ts, ktime_t *time)
if (time_ref->ts_dev_1 < time_ref->ts_dev_2) {
/* case when event time (tsw) wraps */
if (ts < time_ref->ts_dev_1)
- delta_ts = 1 << time_ref->adapter->ts_used_bits;
+ delta_ts = BIT_ULL(time_ref->adapter->ts_used_bits);

/* Otherwise, sync time counter (ts_dev_2) has wrapped:
* handle case when event time (tsn) hasn't.
@@ -168,7 +168,7 @@ void peak_usb_get_ts_time(struct peak_time_ref *time_ref, u32 ts, ktime_t *time)
* tsn ts
*/
} else if (time_ref->ts_dev_1 < ts) {
- delta_ts = -(1 << time_ref->adapter->ts_used_bits);
+ delta_ts = -BIT_ULL(time_ref->adapter->ts_used_bits);
}

/* add delay between last sync and event timestamps */
--
2.27.0

2020-11-05 13:09:40

by Marc Kleine-Budde

[permalink] [raw]

Subject: Re: [PATCH][next] can: usb: fix potential integer overflow on shift of a int

On 11/5/20 12:24 PM, Colin King wrote:
> From: Colin Ian King <[email protected]>
>
> The left shift of int 32 bit integer constant 1 is evaluated using
> 32 bit arithmetic and then assigned to a signed 64 bit variable. In
> the case where time_ref->adapter->ts_used_bits is 32 or more this
> can lead to an oveflow. Avoid this by shifting using the BIT_ULL macro
> instead.
>
> Addresses-Coverity: ("Unintentional integer overflow")
> Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
> Signed-off-by: Colin Ian King <[email protected]>

Applied to linux-can/testing (not to next).

Thanks,
Marc

--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung West/Dortmund | Phone: +49-231-2826-924 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |

Attachments:

signature.asc (499.00 B)
OpenPGP digital signature