Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3078907pxb;
        Tue, 12 Jan 2021 05:59:48 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzuoiukl5TvJR3PQEBuLYZGlnE32kM0Nh1FJ9njLi3irF8U67kzBwTFFJeKdW1NeKIpvbfJ
X-Received: by 2002:a50:ab59:: with SMTP id t25mr3524352edc.364.1610459988542;
        Tue, 12 Jan 2021 05:59:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610459988; cv=none;
        d=google.com; s=arc-20160816;
        b=XKyPotDLgv7hJxgR7Fo+/FIgiaD97/Qgz/XLS46yOph5B3FszuDfK1Y7EFIN2ydDkL
         vv++QMt0Xqkx1AKRCjeU1SgsZ3oAZ+bK7vWPMY20k6+84jndDY6pXYjqd4ZZbqZC37EI
         0B3IXbuq6AE7VpHOP5Jx1MKtNv2nXN015wkQvgT1G57xqCUJmMhqZvqbDRgYse7Da8Aa
         S8pP06gvDD74Ugg+jF049wBqWWl5D64Dp2FF8OW5tQlNtwWroM3Ad2Zkocupf3KFYSeq
         mVejiXWQDPcJaobvxmOLYoI0V7WtG1wcLBlbeXnU5cy+4Ryo00Vf1W2qujPtTmWx4dUJ
         T1rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version;
        bh=bewu31Wz6BYeJ3fs1tGieNc7Cxbmk8ZWGMFgmRHxzYM=;
        b=tPzhL5ClCjyZ8STGogVtcyZl/O8u5wjfnySHsX61K10wNX6//xyjynOGjevwlgg/Tk
         vKoLmQ0MOjsBqEez+71Xt/fgZZOz+QDd3lSABeyhrfZNcLZUQ8RfFUh3uL66qqkWiExm
         xUvSBubvggxx6qx4tgckwB5oQMo+INqrCiT0BiRxIrkp9RVRFTBLPYjlMf2/OLXfzNZL
         mSOj+houdjhnDa/Yrlzu++mTR5l6qbKbUXbdcyNKooZWcL6usjjzEEkN8eoYvOgR0ulu
         l+uJtuCsJ98RIhOuEMqFsPAW4QhmIzA+ZfcchRZkrKrmIHkdkvOTcCVeZ14ibf4bs+sS
         qqFA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z6si1168937ejw.244.2021.01.12.05.59.24;
        Tue, 12 Jan 2021 05:59:48 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732213AbhALN43 (ORCPT <rfc822;linux.s.jambekar@gmail.com>
        + 99 others); Tue, 12 Jan 2021 08:56:29 -0500
Received: from mail-ot1-f45.google.com ([209.85.210.45]:43644 "EHLO
        mail-ot1-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726901AbhALN42 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Jan 2021 08:56:28 -0500
Received: by mail-ot1-f45.google.com with SMTP id q25so2272635otn.10
        for <linux-kernel@vger.kernel.org>; Tue, 12 Jan 2021 05:56:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=bewu31Wz6BYeJ3fs1tGieNc7Cxbmk8ZWGMFgmRHxzYM=;
        b=nf1yUJJo2FWFTlJLV15AKXdbf0tsRhNuLmpX7Ge85ezvd8YGAGS0/iC49KIWTzrShS
         qeDPclHDt+cLrq1S5oCtS30Y3zAWVY8PFpwjet2ckrby8XL29/0Fvwgn8rZkg0CleR3O
         XnwUDtfXtcrDifjY1dAEj0m4rn/Ri1SifvHej0rslzoo9HYOGZrmB+OyQhvfPuh/0KxK
         Rdlhon+8WeoorX3CdtUBY69qCjDxenJ0Z4uL9uAqbwtaKXHstxoj1So4pm1bGlrFGSdI
         mzcm48roDo0i6wuzETinIzhbuNQ6OpDamXXbiOwK889c2CRlzTiaRqxsu75/lTvIPdCg
         +cEA==
X-Gm-Message-State: AOAM530HPEeIw4nL+OGqxm5DJdf4Jn0cjg/h1TIV1S0hdHqgqp9k+nE3
        RFdlfw1vpD0SJS8ih7mLrxxnZwrA6PCyg4NGvVkZBTS7yyg=
X-Received: by 2002:a05:6830:210a:: with SMTP id i10mr2834180otc.145.1610459747107;
 Tue, 12 Jan 2021 05:55:47 -0800 (PST)
MIME-Version: 1.0
References: <20210111130251.361335-1-geert+renesas@glider.be>
 <20210111130251.361335-3-geert+renesas@glider.be> <20210112134259.GA44140@workstation>
In-Reply-To: <20210112134259.GA44140@workstation>
From:   Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Tue, 12 Jan 2021 14:55:35 +0100
Message-ID: <CAMuHMdWo6uSBYr=uBWVPBfELfs6g5ZdnLdADakBj5ze9wkq9BQ@mail.gmail.com>
Subject: Re: [PATCH/RFC 2/2] ALSA: firewire-tascam: Fix integer overflow in midi_port_work()
To:     Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc:     Clemens Ladisch <clemens@ladisch.de>,
        Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.com>,
        ALSA Development Mailing List <alsa-devel@alsa-project.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Sakamoto-san,

On Tue, Jan 12, 2021 at 2:43 PM Takashi Sakamoto
<o-takashi@sakamocchi.jp> wrote:
> On Mon, Jan 11, 2021 at 02:02:51PM +0100, Geert Uytterhoeven wrote:
> > As snd_fw_async_midi_port.consume_bytes is unsigned int, and
> > NSEC_PER_SEC is 1000000000L, the second multiplication in
> >
> >     port->consume_bytes * 8 * NSEC_PER_SEC / 31250
> >
> > always overflows on 32-bit platforms, truncating the result.  Fix this
> > by precalculating "NSEC_PER_SEC / 31250", which is an integer constant.
> >
> > Note that this assumes port->consume_bytes <= 16777.
> >
> > Fixes: 531f471834227d03 ("ALSA: firewire-lib/firewire-tascam: localize async midi port")
> > Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> > ---
> > Compile-tested only.
> >
> > I don't know the maximum transfer length of MIDI, but given it's an old
> > standard, I guess it's rather small.  If it is larger than 16777, the
> > constant "8" should be replaced by "8ULL", to force 64-bit arithmetic.
> > ---
> >  sound/firewire/tascam/tascam-transaction.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> Indeed. The calculation brings integer overflow of 32 bit storage. Thanks
> for your care and proposal of the patch. I agree with the intension of
> patch, however I have a nitpicking that the consume_bytes member is
> defined as 'int', not 'unsigned int' in your commit comment.

Thanks, you're right.
Note that port->consume_bytes being signed halves the limit to
8388 bytes, which is of course still met.

> The member has value returned from the call of 'fill_message()'[1] for the
> length of byte messages in buffer to process, or for error code. The
> error code is checked immediately. The range of value is equal to
> or less than 3 when reaching the calculation, thus it should be less than
> 16777.
>
> Regardless of the type of 'int' or 'unsigned int', this patch can fix
> the issued problem. Feel free to add my tag when you post second version
> with comment fix.
>
> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>

Thanks!

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds