The value of an arithmetic expression period_ns * 1000 is subject
to overflow due to a failure to cast operands to a larger data
type before performing arithmetic
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reviewed-by: Ian Abbott <[email protected]>
Signed-off-by: Denis Arefev <[email protected]>
---
drivers/comedi/drivers/ni_tio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/comedi/drivers/ni_tio.c b/drivers/comedi/drivers/ni_tio.c
index da6826d77e60..acc914903c70 100644
--- a/drivers/comedi/drivers/ni_tio.c
+++ b/drivers/comedi/drivers/ni_tio.c
@@ -800,7 +800,7 @@ static int ni_tio_set_clock_src(struct ni_gpct *counter,
GI_PRESCALE_X2(counter_dev->variant) |
GI_PRESCALE_X8(counter_dev->variant), bits);
}
- counter->clock_period_ps = period_ns * 1000;
+ counter->clock_period_ps = period_ns * 1000UL;
ni_tio_set_sync_mode(counter);
return 0;
}
--
2.25.1
On Thu, Jan 18, 2024 at 10:36:19AM +0300, Denis Arefev wrote:
> The value of an arithmetic expression period_ns * 1000 is subject
> to overflow due to a failure to cast operands to a larger data
> type before performing arithmetic
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Reviewed-by: Ian Abbott <[email protected]>
> Signed-off-by: Denis Arefev <[email protected]>
> ---
> drivers/comedi/drivers/ni_tio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/comedi/drivers/ni_tio.c b/drivers/comedi/drivers/ni_tio.c
> index da6826d77e60..acc914903c70 100644
> --- a/drivers/comedi/drivers/ni_tio.c
> +++ b/drivers/comedi/drivers/ni_tio.c
> @@ -800,7 +800,7 @@ static int ni_tio_set_clock_src(struct ni_gpct *counter,
> GI_PRESCALE_X2(counter_dev->variant) |
> GI_PRESCALE_X8(counter_dev->variant), bits);
> }
> - counter->clock_period_ps = period_ns * 1000;
> + counter->clock_period_ps = period_ns * 1000UL;
Can period_ns ever be "too big" to cause such an overflow?
And what commit id does this fix?
thanks,
greg k-h
On 18/01/2024 09:32, Greg Kroah-Hartman wrote:
> On Thu, Jan 18, 2024 at 10:36:19AM +0300, Denis Arefev wrote:
>> The value of an arithmetic expression period_ns * 1000 is subject
>> to overflow due to a failure to cast operands to a larger data
>> type before performing arithmetic
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Reviewed-by: Ian Abbott <[email protected]>
>> Signed-off-by: Denis Arefev <[email protected]>
>> ---
>> drivers/comedi/drivers/ni_tio.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/comedi/drivers/ni_tio.c b/drivers/comedi/drivers/ni_tio.c
>> index da6826d77e60..acc914903c70 100644
>> --- a/drivers/comedi/drivers/ni_tio.c
>> +++ b/drivers/comedi/drivers/ni_tio.c
>> @@ -800,7 +800,7 @@ static int ni_tio_set_clock_src(struct ni_gpct *counter,
>> GI_PRESCALE_X2(counter_dev->variant) |
>> GI_PRESCALE_X8(counter_dev->variant), bits);
>> }
>> - counter->clock_period_ps = period_ns * 1000;
>> + counter->clock_period_ps = period_ns * 1000UL;
>
> Can period_ns ever be "too big" to cause such an overflow?
The period_ns value comes from user-space and could be any unsigned int
value. It's used to let the driver know the period of an external clock
source.
> And what commit id does this fix?
Fixes: 3e90b1c7ebe9 ("staging: comedi: ni_tio: tidy up
ni_tio_set_clock_src() and helpers")
Cc: <[email protected]> # v5.15+
The first affected kernel version is v3.17. This patch should apply
cleanly to v5.13 onwards (when comedi was moved out of drivers/staging),
but earlier stable/longterm kernels would require a backported patch.
@Denis, if you could add the above Fixes: and Cc: lines to a v2 patch,
that would be great!
>
> thanks,
>
> greg k-h
--
-=( Ian Abbott <[email protected]> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || http://www.mev.co.uk )=-