iio: invensense: fix integer overflow while multiplication

Message ID	20241103-coverity1586045integeroverflow-v1-1-43ea37a3f3cd@gmail.com (mailing list archive)
State	Accepted
Headers	show Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CEA0157A6B; Sun, 3 Nov 2024 08:43:35 +0000 (UTC) From: Karan Sanghavi <karansanghvi98@gmail.com> Date: Sun, 03 Nov 2024 08:43:14 +0000 Subject: [PATCH] iio: invensense: fix integer overflow while multiplication Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20241103-coverity1586045integeroverflow-v1-1-43ea37a3f3cd@gmail.com> To: Jonathan Cameron <jic23@kernel.org>, Lars-Peter Clausen <lars@metafoo.de> Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Shuah Khan <skhan@linuxfoundation.org>, Anup <anupnewsmail@gmail.com>, Karan Sanghavi <karansanghvi98@gmail.com>
Series	iio: invensense: fix integer overflow while multiplication \| expand iio: invensense: fix integer overflow while multiplication

Message ID

20241103-coverity1586045integeroverflow-v1-1-43ea37a3f3cd@gmail.com (mailing list archive)

State

Accepted

Headers

From: Karan Sanghavi <karansanghvi98@gmail.com>
Date: Sun, 03 Nov 2024 08:43:14 +0000
Subject: [PATCH] iio: invensense: fix integer overflow while multiplication
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: 
 <20241103-coverity1586045integeroverflow-v1-1-43ea37a3f3cd@gmail.com>
To: Jonathan Cameron <jic23@kernel.org>,
 Lars-Peter Clausen <lars@metafoo.de>
Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
 Shuah Khan <skhan@linuxfoundation.org>, Anup <anupnewsmail@gmail.com>,
 Karan Sanghavi <karansanghvi98@gmail.com>

Series

iio: invensense: fix integer overflow while multiplication | expand

Commit Message

Karan Sanghavi Nov. 3, 2024, 8:43 a.m. UTC

Typecast a variable to int64_t for 64-bit arithmetic multiplication

Signed-off-by: Karan Sanghavi <karansanghvi98@gmail.com>
---
 drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


---
base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
change-id: 20241102-coverity1586045integeroverflow-cbbf357475d9

Best regards,

Comments

Jonathan Cameron Nov. 3, 2024, 11:18 a.m. UTC | #1

On Sun, 03 Nov 2024 08:43:14 +0000
Karan Sanghavi <karansanghvi98@gmail.com> wrote:

Hi Karan,

> Typecast a variable to int64_t for 64-bit arithmetic multiplication

The path to actually triggering this is non obvious as these
inputs are the result of rather complex code paths and per chip
constraints.  Have you identified a particular combination that overflows
or is this just based on the type?  I have no problem with applying this
as hardening against future uses but unless we have a path to trigger
it today it isn't a fix.

If you do have a path, this description should state what it is.

> 
> Signed-off-by: Karan Sanghavi <karansanghvi98@gmail.com>
If it's a real bug, needs a Fixes tag so we know how far to backport it.

> ---
>  drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> index f44458c380d9..d1d11d0b2458 100644
> --- a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> +++ b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> @@ -105,8 +105,8 @@ static bool inv_update_chip_period(struct inv_sensors_timestamp *ts,
>  
>  static void inv_align_timestamp_it(struct inv_sensors_timestamp *ts)
>  {
> -	const int64_t period_min = ts->min_period * ts->mult;
> -	const int64_t period_max = ts->max_period * ts->mult;
> +	const int64_t period_min = (int64_t)ts->min_period * ts->mult;
> +	const int64_t period_max = (int64_t)ts->max_period * ts->mult;
>  	int64_t add_max, sub_max;
>  	int64_t delta, jitter;
>  	int64_t adjust;
> 
> ---
> base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
> change-id: 20241102-coverity1586045integeroverflow-cbbf357475d9
> 
> Best regards,

Karan Sanghavi Nov. 4, 2024, 4:26 p.m. UTC | #2

On Sun, Nov 03, 2024 at 11:18:27AM +0000, Jonathan Cameron wrote:
> On Sun, 03 Nov 2024 08:43:14 +0000
> Karan Sanghavi <karansanghvi98@gmail.com> wrote:
> 
> Hi Karan,
> 
> > Typecast a variable to int64_t for 64-bit arithmetic multiplication
> 
> The path to actually triggering this is non obvious as these
> inputs are the result of rather complex code paths and per chip
> constraints.  Have you identified a particular combination that overflows
> or is this just based on the type?  I have no problem with applying this
> as hardening against future uses but unless we have a path to trigger
> it today it isn't a fix.
> 
> If you do have a path, this description should state what it is.
>

The above issue is discovered by Coverity with CID 1586045 and 1586044.
Link: https://scan7.scan.coverity.com/#/project-view/51946/11354?selectedIssue=1586045

Should I mention this path in the commit short message?

> > 
> > Signed-off-by: Karan Sanghavi <karansanghvi98@gmail.com>
> If it's a real bug, needs a Fixes tag so we know how far to backport it.
> 

What kind of Fixes tag should I provide here. 

> > ---
> >  drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > index f44458c380d9..d1d11d0b2458 100644
> > --- a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > +++ b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > @@ -105,8 +105,8 @@ static bool inv_update_chip_period(struct inv_sensors_timestamp *ts,
> >  
> >  static void inv_align_timestamp_it(struct inv_sensors_timestamp *ts)
> >  {
> > -	const int64_t period_min = ts->min_period * ts->mult;
> > -	const int64_t period_max = ts->max_period * ts->mult;
> > +	const int64_t period_min = (int64_t)ts->min_period * ts->mult;
> > +	const int64_t period_max = (int64_t)ts->max_period * ts->mult;
> >  	int64_t add_max, sub_max;
> >  	int64_t delta, jitter;
> >  	int64_t adjust;
> > 
> > ---
> > base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
> > change-id: 20241102-coverity1586045integeroverflow-cbbf357475d9
> > 
> > Best regards,
>

Thank you,
Karan.

Karan Sanghavi Nov. 5, 2024, 5:39 p.m. UTC | #3

On Sun, Nov 03, 2024 at 11:18:27AM +0000, Jonathan Cameron wrote:
> On Sun, 03 Nov 2024 08:43:14 +0000
> Karan Sanghavi <karansanghvi98@gmail.com> wrote:
> 
> Hi Karan,
> 
> > Typecast a variable to int64_t for 64-bit arithmetic multiplication
> 
> The path to actually triggering this is non obvious as these
> inputs are the result of rather complex code paths and per chip
> constraints.  Have you identified a particular combination that overflows
> or is this just based on the type?  I have no problem with applying this
> as hardening against future uses but unless we have a path to trigger
> it today it isn't a fix.
> 
> If you do have a path, this description should state what it is.
>
I found this in the coverity scan with CID:1586045 stating

overflow_before_widen: Potentially overflowing expression ts->min_period * ts->mult with type 
unsigned int (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a 
context that expects an expression of type int64_t const (64 bits, signed).

> > 
> > Signed-off-by: Karan Sanghavi <karansanghvi98@gmail.com>
> If it's a real bug, needs a Fixes tag so we know how far to backport it.
>
I thought that this is a fix to this coverity issue thus used fix in the
subject. 
If I have to mention the fix tag for this then can you please let me
know what should I mention in the fix tag.
> > ---
> >  drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > index f44458c380d9..d1d11d0b2458 100644
> > --- a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > +++ b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > @@ -105,8 +105,8 @@ static bool inv_update_chip_period(struct inv_sensors_timestamp *ts,
> >  
> >  static void inv_align_timestamp_it(struct inv_sensors_timestamp *ts)
> >  {
> > -	const int64_t period_min = ts->min_period * ts->mult;
> > -	const int64_t period_max = ts->max_period * ts->mult;
> > +	const int64_t period_min = (int64_t)ts->min_period * ts->mult;
> > +	const int64_t period_max = (int64_t)ts->max_period * ts->mult;
> >  	int64_t add_max, sub_max;
> >  	int64_t delta, jitter;
> >  	int64_t adjust;
> > 
> > ---
> > base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
> > change-id: 20241102-coverity1586045integeroverflow-cbbf357475d9
> > 
> > Best regards,
>  
Thank you,
Karan.

Jonathan Cameron Nov. 9, 2024, 3:28 p.m. UTC | #4

On Mon, 4 Nov 2024 16:26:31 +0000
Karan Sanghavi <karansanghvi98@gmail.com> wrote:

> On Sun, Nov 03, 2024 at 11:18:27AM +0000, Jonathan Cameron wrote:
> > On Sun, 03 Nov 2024 08:43:14 +0000
> > Karan Sanghavi <karansanghvi98@gmail.com> wrote:
> > 
> > Hi Karan,
> >   
> > > Typecast a variable to int64_t for 64-bit arithmetic multiplication  
> > 
> > The path to actually triggering this is non obvious as these
> > inputs are the result of rather complex code paths and per chip
> > constraints.  Have you identified a particular combination that overflows
> > or is this just based on the type?  I have no problem with applying this
> > as hardening against future uses but unless we have a path to trigger
> > it today it isn't a fix.
> > 
> > If you do have a path, this description should state what it is.
> >  
> 
> The above issue is discovered by Coverity with CID 1586045 and 1586044.
> Link: https://scan7.scan.coverity.com/#/project-view/51946/11354?selectedIssue=1586045
> 
> Should I mention this path in the commit short message?

That wasn't what I meant.  I was after what combination of possible
inputs actually trigger this rather than (I suspect) local analysis coverity has
done.

> 
> > > 
> > > Signed-off-by: Karan Sanghavi <karansanghvi98@gmail.com>  
> > If it's a real bug, needs a Fixes tag so we know how far to backport it.
> >   
> 
> What kind of Fixes tag should I provide here. 
The patch that introduced the bug in the first place.  See submitting patches
docs for the format.

However, I suspect this is coverity firing a false positive be it a reasonable
one that we should tidy up. As such I'll queue this patch up, but not
as a fix that I'm rushing in, but just as general cleanup for next cycle.

If you find a path to trigger the overflow via userspace inputs etc
then I'm happy to move it over to being handled as an urgent fix.

Jonathan

> 
> > > ---
> > >  drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > > index f44458c380d9..d1d11d0b2458 100644
> > > --- a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > > +++ b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
> > > @@ -105,8 +105,8 @@ static bool inv_update_chip_period(struct inv_sensors_timestamp *ts,
> > >  
> > >  static void inv_align_timestamp_it(struct inv_sensors_timestamp *ts)
> > >  {
> > > -	const int64_t period_min = ts->min_period * ts->mult;
> > > -	const int64_t period_max = ts->max_period * ts->mult;
> > > +	const int64_t period_min = (int64_t)ts->min_period * ts->mult;
> > > +	const int64_t period_max = (int64_t)ts->max_period * ts->mult;
> > >  	int64_t add_max, sub_max;
> > >  	int64_t delta, jitter;
> > >  	int64_t adjust;
> > > 
> > > ---
> > > base-commit: 81983758430957d9a5cb3333fe324fd70cf63e7e
> > > change-id: 20241102-coverity1586045integeroverflow-cbbf357475d9
> > > 
> > > Best regards,  
> >  
> 
> Thank you,
> Karan.

diff --git a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
index f44458c380d9..d1d11d0b2458 100644
--- a/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
+++ b/drivers/iio/common/inv_sensors/inv_sensors_timestamp.c
@@ -105,8 +105,8 @@  static bool inv_update_chip_period(struct inv_sensors_timestamp *ts,
 
 static void inv_align_timestamp_it(struct inv_sensors_timestamp *ts)
 {
-	const int64_t period_min = ts->min_period * ts->mult;
-	const int64_t period_max = ts->max_period * ts->mult;
+	const int64_t period_min = (int64_t)ts->min_period * ts->mult;
+	const int64_t period_max = (int64_t)ts->max_period * ts->mult;
 	int64_t add_max, sub_max;
 	int64_t delta, jitter;
 	int64_t adjust;

iio: invensense: fix integer overflow while multiplication

Commit Message

Comments

Patch