Linux-Media Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] media: tda10071: fix unsigned sign extension overflow
@ 2020-02-10 14:26 Colin King
  2020-02-10 14:41 ` Dan Carpenter
  0 siblings, 1 reply; 2+ messages in thread
From: Colin King @ 2020-02-10 14:26 UTC (permalink / raw)
  To: Antti Palosaari, Mauro Carvalho Chehab, linux-media
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

The shifting of buf[3] by 24 bits to the left will be promoted to
a 32 bit signed int and then sign-extended to an unsigned long. In
the unlikely event that the the top bit of buf[3] is set then all
then all the upper bits end up as also being set because of
the sign-extension and this affect the ev->post_bit_error sum.
Fix this by using the temporary u32 variable bit_error to avoid
the sign-extension promotion. This also removes the need to do the
computation twice.

Addresses-Coverity: ("Unintended sign extension")
Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/media/dvb-frontends/tda10071.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
index 1953b00b3e48..685c0ac71819 100644
--- a/drivers/media/dvb-frontends/tda10071.c
+++ b/drivers/media/dvb-frontends/tda10071.c
@@ -470,10 +470,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status)
 			goto error;
 
 		if (dev->delivery_system == SYS_DVBS) {
-			dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 |
-					 buf[2] << 8 | buf[3] << 0;
-			dev->post_bit_error += buf[0] << 24 | buf[1] << 16 |
-					       buf[2] << 8 | buf[3] << 0;
+			u32 bit_error = buf[0] << 24 | buf[1] << 16 |
+					buf[2] << 8 | buf[3] << 0;
+
+			dev->dvbv3_ber = bit_error;
+			dev->post_bit_error += bit_error;
 			c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER;
 			c->post_bit_error.stat[0].uvalue = dev->post_bit_error;
 			dev->block_error += buf[4] << 8 | buf[5] << 0;
-- 
2.25.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] media: tda10071: fix unsigned sign extension overflow
  2020-02-10 14:26 [PATCH] media: tda10071: fix unsigned sign extension overflow Colin King
@ 2020-02-10 14:41 ` Dan Carpenter
  0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2020-02-10 14:41 UTC (permalink / raw)
  To: Colin King
  Cc: Antti Palosaari, Mauro Carvalho Chehab, linux-media,
	kernel-janitors, linux-kernel

On Mon, Feb 10, 2020 at 02:26:46PM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> The shifting of buf[3] by 24 bits to the left will be promoted to
> a 32 bit signed int and then sign-extended to an unsigned long. In
> the unlikely event that the the top bit of buf[3] is set then all
> then all the upper bits end up as also being set because of
> the sign-extension and this affect the ev->post_bit_error sum.
> Fix this by using the temporary u32 variable bit_error to avoid
> the sign-extension promotion. This also removes the need to do the
> computation twice.
> 
> Addresses-Coverity: ("Unintended sign extension")
> Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  drivers/media/dvb-frontends/tda10071.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
> index 1953b00b3e48..685c0ac71819 100644
> --- a/drivers/media/dvb-frontends/tda10071.c
> +++ b/drivers/media/dvb-frontends/tda10071.c
> @@ -470,10 +470,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status)
>  			goto error;
>  
>  		if (dev->delivery_system == SYS_DVBS) {
> -			dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 |
> -					 buf[2] << 8 | buf[3] << 0;
> -			dev->post_bit_error += buf[0] << 24 | buf[1] << 16 |
> -					       buf[2] << 8 | buf[3] << 0;
> +			u32 bit_error = buf[0] << 24 | buf[1] << 16 |
> +					buf[2] << 8 | buf[3] << 0;

This driver has a bunch of endian conversions (probably from big endian
to little endian) and so it's probably buggy on big endian CPUs.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-10 14:26 [PATCH] media: tda10071: fix unsigned sign extension overflow Colin King
2020-02-10 14:41 ` Dan Carpenter

Linux-Media Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-media/0 linux-media/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-media linux-media/ https://lore.kernel.org/linux-media \
		linux-media@vger.kernel.org
	public-inbox-index linux-media

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-media


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git