Coverity: add_early_randomness(): Integer handling issues

Coverity: add_early_randomness(): Integer handling issues

[coverity-bot]

Hello!

This is an experimental semi-automated report about issues detected by
Coverity from a scan of next-20221108 as part of the linux-next scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan

You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:

  Mon Nov 7 12:47:57 2022 +0100
    e0a37003ff0b ("hw_random: use add_hwgenerator_randomness() for early entropy")

Coverity reported the following:

*** CID 1527234:  Integer handling issues  (SIGN_EXTENSION)
drivers/char/hw_random/core.c:73 in add_early_randomness()
67     	int bytes_read;
68
69     	mutex_lock(&reading_mutex);
70     	bytes_read = rng_get_data(rng, rng_fillbuf, 32, 0);
71     	mutex_unlock(&reading_mutex);
72     	if (bytes_read > 0) {
vvv     CID 1527234:  Integer handling issues  (SIGN_EXTENSION)
vvv     Suspicious implicit sign extension: "rng->quality" with type "unsigned short" (16 bits, unsigned) is promoted in "bytes_read * 8 * rng->quality / 1024" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "bytes_read * 8 * rng->quality / 1024" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
73     		size_t entropy = bytes_read * 8 * rng->quality / 1024;
74     		add_hwgenerator_randomness(rng_fillbuf, bytes_read, entropy, false);
75     	}
76     }
77
78     static inline void cleanup_rng(struct kref *kref)

If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1527234 ("Integer handling issues")
Fixes: e0a37003ff0b ("hw_random: use add_hwgenerator_randomness() for early entropy")

Thanks for your attention!

-- 
Coverity-bot

Re: Coverity: add_early_randomness(): Integer handling issues

[Jason A. Donenfeld]

"If "bytes_read * 8 * rng->quality / 1024" is greater than 0x7FFFFFFF,
the upper bits of the result will all be 1."

Except "bytes_read" is an int. So false positive.

Jason

Re: Coverity: add_early_randomness(): Integer handling issues

[Rasmus Villemoes]

On 08/11/2022 18.31, Jason A. Donenfeld wrote:
> "If "bytes_read * 8 * rng->quality / 1024" is greater than 0x7FFFFFFF,
> the upper bits of the result will all be 1."
> 
> Except "bytes_read" is an int. So false positive.

Well, the automated report could use a better wording, but just from the
types alone there's nothing preventing the "bytes_read * 8 *
rng->quality" expression from mathematically exceeding INT_MAX and thus
potentially becoming a negative value (so technically of course not
greater than 0x7FFFFFFF, but the point being that the sign bit is set),
and then the result of the division will most likely also be negative.

But what actually saves the day is that I suppose bytes_read cannot be
more than 32, so the multiplication is indeed at most 256*U16_MAX. Too
bad we don't have a __postcond(@ret < (int)size) attribute we could put
on functions like rng_get_data() to help static analysis.

Rasmus