* Coverity: add_early_randomness(): Integer handling issues
@ 2022-11-08 17:29 coverity-bot
2022-11-08 17:31 ` Jason A. Donenfeld
0 siblings, 1 reply; 3+ messages in thread
From: coverity-bot @ 2022-11-08 17:29 UTC (permalink / raw)
To: Jason A. Donenfeld
Cc: linux-kernel, Theodore Ts'o, Dominik Brodowski,
Jason A. Donenfeld, Olivia Mackall, linux-crypto, Herbert Xu,
Gustavo A. R. Silva, linux-next, linux-hardening
Hello!
This is an experimental semi-automated report about issues detected by
Coverity from a scan of next-20221108 as part of the linux-next scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan
You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:
Mon Nov 7 12:47:57 2022 +0100
e0a37003ff0b ("hw_random: use add_hwgenerator_randomness() for early entropy")
Coverity reported the following:
*** CID 1527234: Integer handling issues (SIGN_EXTENSION)
drivers/char/hw_random/core.c:73 in add_early_randomness()
67 int bytes_read;
68
69 mutex_lock(&reading_mutex);
70 bytes_read = rng_get_data(rng, rng_fillbuf, 32, 0);
71 mutex_unlock(&reading_mutex);
72 if (bytes_read > 0) {
vvv CID 1527234: Integer handling issues (SIGN_EXTENSION)
vvv Suspicious implicit sign extension: "rng->quality" with type "unsigned short" (16 bits, unsigned) is promoted in "bytes_read * 8 * rng->quality / 1024" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "bytes_read * 8 * rng->quality / 1024" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
73 size_t entropy = bytes_read * 8 * rng->quality / 1024;
74 add_hwgenerator_randomness(rng_fillbuf, bytes_read, entropy, false);
75 }
76 }
77
78 static inline void cleanup_rng(struct kref *kref)
If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1527234 ("Integer handling issues")
Fixes: e0a37003ff0b ("hw_random: use add_hwgenerator_randomness() for early entropy")
Thanks for your attention!
--
Coverity-bot
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Coverity: add_early_randomness(): Integer handling issues
2022-11-08 17:29 Coverity: add_early_randomness(): Integer handling issues coverity-bot
@ 2022-11-08 17:31 ` Jason A. Donenfeld
2022-11-18 8:49 ` Rasmus Villemoes
0 siblings, 1 reply; 3+ messages in thread
From: Jason A. Donenfeld @ 2022-11-08 17:31 UTC (permalink / raw)
To: coverity-bot
Cc: linux-kernel, Theodore Ts'o, Dominik Brodowski,
Olivia Mackall, linux-crypto, Herbert Xu, Gustavo A. R. Silva,
linux-next, linux-hardening
"If "bytes_read * 8 * rng->quality / 1024" is greater than 0x7FFFFFFF,
the upper bits of the result will all be 1."
Except "bytes_read" is an int. So false positive.
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Coverity: add_early_randomness(): Integer handling issues
2022-11-08 17:31 ` Jason A. Donenfeld
@ 2022-11-18 8:49 ` Rasmus Villemoes
0 siblings, 0 replies; 3+ messages in thread
From: Rasmus Villemoes @ 2022-11-18 8:49 UTC (permalink / raw)
To: Jason A. Donenfeld, coverity-bot
Cc: linux-kernel, Theodore Ts'o, Dominik Brodowski,
Olivia Mackall, linux-crypto, Herbert Xu, Gustavo A. R. Silva,
linux-next, linux-hardening
On 08/11/2022 18.31, Jason A. Donenfeld wrote:
> "If "bytes_read * 8 * rng->quality / 1024" is greater than 0x7FFFFFFF,
> the upper bits of the result will all be 1."
>
> Except "bytes_read" is an int. So false positive.
Well, the automated report could use a better wording, but just from the
types alone there's nothing preventing the "bytes_read * 8 *
rng->quality" expression from mathematically exceeding INT_MAX and thus
potentially becoming a negative value (so technically of course not
greater than 0x7FFFFFFF, but the point being that the sign bit is set),
and then the result of the division will most likely also be negative.
But what actually saves the day is that I suppose bytes_read cannot be
more than 32, so the multiplication is indeed at most 256*U16_MAX. Too
bad we don't have a __postcond(@ret < (int)size) attribute we could put
on functions like rng_get_data() to help static analysis.
Rasmus
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-18 8:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-08 17:29 Coverity: add_early_randomness(): Integer handling issues coverity-bot
2022-11-08 17:31 ` Jason A. Donenfeld
2022-11-18 8:49 ` Rasmus Villemoes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).