From nobody Fri Dec 19 10:01:06 2025
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com
 [209.85.208.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D92D62EA730
	for <linux-kernel@vger.kernel.org>; Mon,  8 Dec 2025 11:17:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765192673; cv=none;
 b=lnWcOqM7xIVrzjuJWcl0j2T0DbP8c5NziX0EZoZhv9XRlPEX3A1Mvm0DzcA6043OQIlmagBOgCPmZ/MM9+iwaLWeVjqWWVlCq9Tcc4aSu5eKoUxkIGZkCQmsiEK7Mlv0a+ALKTY5JNdWYtG3hX8i9cXKaZs0NuOWf9bpOgyCqNg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765192673; c=relaxed/simple;
	bh=X2DLDNd1kYdj8vkfX5yl6SioDgHZyj4Tv8fX06kV5zM=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type;
 b=EDl5jNwU4wKA78Ely0xZSiOp1ZOl7AJl4jbm6O8LMd73W6mDtwvLawIel7zwybff8UVh6YxTq5AhJZVEqhjjyD0I72fefanZOybO6Z5zKU2nTx6iRJIbxIlPs53XGR7LpxTan95yTtk4HOLMxWp+LTsju5Lsc5JBlT5p6qOxOB4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=e1jtcbmK; arc=none smtp.client-ip=209.85.208.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="e1jtcbmK"
Received: by mail-lj1-f172.google.com with SMTP id
 38308e7fff4ca-37b983fbd45so38429001fa.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 08 Dec 2025 03:17:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765192670; x=1765797470;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=pOCG7eO+IOYvs+xd7ddninCpQb0paex7uyJ3Uh9q6PY=;
        b=e1jtcbmKbT2Mi8rDWKkbwDqEABLmnyHCGwmbxQiBbXTARyw1y1xwTV+0WCOm/Chicl
         OewduFT5pl8W4X/9xfyh6nhMvavV3JIf6dioSqzWB1U2hw78gWLMPDG2XghjVDCLsZvG
         YAAOcswjjRpRiYPVagen42N5RJmlVjcKbKAOgKZuv0pthv8UIJsg5nrhpFg8FgffHGkh
         SdghJsKndd8ytjyGIJ/GRDleQ6uecFJfpXb+aVWmXuc/p9pSTo2duC2DARQxpt04zDfB
         QOT1I0vrqJEWU0qg+N41zT/UPB+vpgyQ+eTlM1iI4V1lnftwzNIYnp7oPgiWQ4J+G2mI
         GiLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765192670; x=1765797470;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pOCG7eO+IOYvs+xd7ddninCpQb0paex7uyJ3Uh9q6PY=;
        b=gzyDjWfK/gOP8T/0Wg/JLPB4j8Rv6/A85zTmnDjkD74e04CRHNveOTMiruXA9Jebwo
         C2NRDiv6g9UtjacJnJL8qseIBT2jk2EHE/vC6yOiYLtSsaqY8DYM02eizE8plJRZ/YHF
         weparfOYM0L1PGOMcGHm281Psw1IubYvK+cltX9nxcqSspJ5NDc7oQ131nQDpOghB3N9
         y4QyOrY6kb9q/4QkHrgo24Jr2QCF/NQyphi0zKQ3ecQaEIElGAVarBoE1peE9kmrkhu/
         9tgkuuJ6UrysbumrIWqv4BhZSTRT31TLrPkv/7gp+7LyD7HwaC5Ca9iXWng0dN5bhYYJ
         x43Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCXp2km0YFUzS+BAxMVe5L8+EAa578GJlWgRLaEUIvg4pJpE7zy/BJZ1exFpE5n25KLfLTWnS1mib4h54G0=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywy0fx9CPG9tqauRhNyPHlN3gBehzBcJsIUZEJ3Y979bwXUn+nx
	rnjG9cWpT0lqB5qjuDKX23htf2bSYx+z7yTYMwaK8XTs/FliMasMJd/B
X-Gm-Gg: ASbGncteF/edkqiTiBo4WMf1TtA16z5aIghVBelTgHJTx+VtPh/o4/5FMcZY1O5UOdt
	6sDW2Bhv1NLhm1QM+5Vn9axHRw1MnvHlh0LcALyZIa7q3V1N9edpgNenpUiFsWs8DSLPsgr7Dsc
	s+h+q8//bOIgH4s1uouH7K75oM7BKyVgHJqFKayNCe0ejNv816xGKBJSImEauC56uMxNUGgLOWt
	4nwVC9uqqdTAyg2ddTXAqmZgmZ3Jo1sV7zTJCE5In1HPX5BjHHDTVR0MHlZpkQnOwOOw0r4LEvt
	r+pLCpeWZony78RJoCtlT8p0oZKXf6AeiCf9xWKZu+3I2goYL64IF6lm0xA88oWCEJ7PsRoichZ
	qJJ+HiTUQMurC6H0p8B4WQKFlScB2kpz0WD7IFn3KTgSX5byw2iL9n5vhz4JfewdsVvqHIUA0mC
	65Uq7x5kpolbAuX+r2eJanLO+E1jyoJW33r/fiG9/BZsAqSsNN
X-Google-Smtp-Source: 
 AGHT+IFWmyERvTDs7Paip7pT+B/ATRQZHULExlPL+PNu3lhsbGI7kGlW5/9g5j/0woCl75JPzc8beA==
X-Received: by 2002:a2e:a989:0:b0:37b:a395:fd68 with SMTP id
 38308e7fff4ca-37ed1fba490mr19694081fa.10.1765192669416;
        Mon, 08 Dec 2025 03:17:49 -0800 (PST)
Received: from home-server.lan (89-109-48-215.dynamic.mts-nn.ru.
 [89.109.48.215])
        by smtp.gmail.com with ESMTPSA id
 38308e7fff4ca-37e7065591dsm36754761fa.43.2025.12.08.03.17.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 08 Dec 2025 03:17:49 -0800 (PST)
From: Alexey Simakov <bigalex934@gmail.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Alexey Simakov <bigalex934@gmail.com>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Maxime Ripard <mripard@kernel.org>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Dave Airlie <airlied@redhat.com>,
	virtualization@lists.linux.dev,
	dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH] drm/bochs: avoid sign extension in video memory size
Date: Mon,  8 Dec 2025 14:16:41 +0300
Message-Id: <20251208111641.4160-1-bigalex934@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

When bochs_dispi_read() returns a value in the 0x8000=E2=80=930xFFFF range,
the expression bochs_dispi_read() * 64 * 1024 is computed in signed
int and then promoted to unsigned long, which can lead to
int -> unsigned long sign extension.

Cast the multipliers to unsigned long so that the multiplication is
done in unsigned long and covers the full range of the DISPI video
memory register without sign extension.

The QEMU stdvga device using the bochs dispi interface exposes video
memory up to 256 MB, so this change is made against malicious or
out-of-spec return values from the device.

Found by Linux Verification Center (linuxtesting.org) with Svace.

Fixes: 0a6659bdc5e8 ("drm/bochs: new driver")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
---
 drivers/gpu/drm/tiny/bochs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/tiny/bochs.c b/drivers/gpu/drm/tiny/bochs.c
index d2d5e9f1269f..943bceadd2f4 100644
--- a/drivers/gpu/drm/tiny/bochs.c
+++ b/drivers/gpu/drm/tiny/bochs.c
@@ -258,7 +258,7 @@ static int bochs_hw_init(struct bochs_device *bochs)
=20
 	id =3D bochs_dispi_read(bochs, VBE_DISPI_INDEX_ID);
 	mem =3D bochs_dispi_read(bochs, VBE_DISPI_INDEX_VIDEO_MEMORY_64K)
-		* 64 * 1024;
+		* 64UL * 1024UL;
 	if ((id & 0xfff0) !=3D VBE_DISPI_ID0) {
 		DRM_ERROR("ID mismatch\n");
 		return -ENODEV;
--=20
2.34.1