Message ID | 8d5dfc87d297a92d5ccc750c5c002bbc4226d3ad.1729074076.git.mchehab+huawei@kernel.org (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Media: fix several issues on drivers | expand |
On 16/10/2024 12:22, Mauro Carvalho Chehab wrote: > There is a hidden overflow condition there. As date is signed > and u8 is unsigned, doing: > > date = (data[0] << 24) > > With a value bigger than 07f will make all upper bits of date > 0xffffffff. This can be demonstrated with this small code: > > <code> > > typedef int64_t time64_t; > typedef uint8_t u8; > > int main(void) > { > u8 data[] = { 0xde ,0xad , 0xbe, 0xef }; > time64_t date; > > date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; > printf("Invalid data = 0x%08lx\n", date); > > date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; > printf("Expected data = 0x%08lx\n", date); > > return 0; > } > </code> > > Fix it by converting the upper bit calculation to unsigned. > > Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order") > Cc: stable@vger.kernel.org Not a fix either, just an improvement. The worst that can happen is that in 2038 the wrong date is shown, provided they release new firmware for this device in that year :-) Regards, Hans > Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> > --- > drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/cec/usb/pulse8/pulse8-cec.c b/drivers/media/cec/usb/pulse8/pulse8-cec.c > index ba67587bd43e..171366fe3544 100644 > --- a/drivers/media/cec/usb/pulse8/pulse8-cec.c > +++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c > @@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *pulse8, struct serio *serio, > err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4); > if (err) > return err; > - date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; > + date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; > dev_info(pulse8->dev, "Firmware build date %ptT\n", &date); > > dev_dbg(pulse8->dev, "Persistent config:\n");
diff --git a/drivers/media/cec/usb/pulse8/pulse8-cec.c b/drivers/media/cec/usb/pulse8/pulse8-cec.c index ba67587bd43e..171366fe3544 100644 --- a/drivers/media/cec/usb/pulse8/pulse8-cec.c +++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c @@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *pulse8, struct serio *serio, err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4); if (err) return err; - date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; dev_info(pulse8->dev, "Firmware build date %ptT\n", &date); dev_dbg(pulse8->dev, "Persistent config:\n");
There is a hidden overflow condition there. As date is signed and u8 is unsigned, doing: date = (data[0] << 24) With a value bigger than 07f will make all upper bits of date 0xffffffff. This can be demonstrated with this small code: <code> typedef int64_t time64_t; typedef uint8_t u8; int main(void) { u8 data[] = { 0xde ,0xad , 0xbe, 0xef }; time64_t date; date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; printf("Invalid data = 0x%08lx\n", date); date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; printf("Expected data = 0x%08lx\n", date); return 0; } </code> Fix it by converting the upper bit calculation to unsigned. Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order") Cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> --- drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)