firmware_loader: prevent integer overflow in firmware_loading_timeout()

[PATCH] firmware_loader: prevent integer overflow in firmware_loading_timeout()

Posted by Sergey Shtylyov 3 months ago

In firmware_loading_timeout(), *int* result of __firmware_loading_timeout()
multiplied by HZ might overflow before being implicitly cast to *long* when
being returned. Rewrite the function using check_mul_overflow() and capping
the result at LONG_MAX on actual overflow...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org

---
The patch is against the commit 78f4e737a53e1163ded2687a922fce138aee73f5 in
Linus Torvalds' linux.git repo -- that's the most recent commit I could get
(git {fetch,pull} from git.kernel stopped working for me first with git://
and then with https:// protocol)...

 drivers/base/firmware_loader/fallback.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Index: linux/drivers/base/firmware_loader/fallback.c
===================================================================
--- linux.orig/drivers/base/firmware_loader/fallback.c
+++ linux/drivers/base/firmware_loader/fallback.c
@@ -35,8 +35,13 @@ void fw_fallback_set_default_timeout(voi
 
 static long firmware_loading_timeout(void)
 {
-	return __firmware_loading_timeout() > 0 ?
-		__firmware_loading_timeout() * HZ : MAX_JIFFY_OFFSET;
+	long timeout;
+
+	if (__firmware_loading_timeout() <= 0)
+		return MAX_JIFFY_OFFSET;
+	if (check_mul_overflow(__firmware_loading_timeout(), HZ, &timeout))
+		return LONG_MAX;
+	return timeout;
 }
 
 static inline int fw_sysfs_wait_timeout(struct fw_priv *fw_priv,  long timeout)

Re: [PATCH] firmware_loader: prevent integer overflow in firmware_loading_timeout()

Posted by Luis Chamberlain 3 months ago

On Thu, Jul 03, 2025 at 11:38:33PM +0300, Sergey Shtylyov wrote:
> In firmware_loading_timeout(), *int* result of __firmware_loading_timeout()
> multiplied by HZ might overflow before being implicitly cast to *long* when
> being returned. Rewrite the function using check_mul_overflow() and capping
> the result at LONG_MAX on actual overflow...
> 
> Found by Linux Verification Center (linuxtesting.org) with the Svace static
> analysis tool.
> 
> Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> Cc: stable@vger.kernel.org

Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>

  Luis

Re: [PATCH] firmware_loader: prevent integer overflow in firmware_loading_timeout()

Posted by Sergey Shtylyov 2 months, 2 weeks ago

On 7/5/25 4:39 AM, Luis Chamberlain wrote:

[...]
>> In firmware_loading_timeout(), *int* result of __firmware_loading_timeout()
>> multiplied by HZ might overflow before being implicitly cast to *long* when
>> being returned. Rewrite the function using check_mul_overflow() and capping
>> the result at LONG_MAX on actual overflow...
>>
>> Found by Linux Verification Center (linuxtesting.org) with the Svace static
>> analysis tool.
>>
>> Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
>> Cc: stable@vger.kernel.org
> 
> Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>

   And? :-)
   I assume this patch has to go thru the driver-core.git repo managed by Greg KH,
and Greg seems to ignore at least my USB patches... :-/ so I guess this patch has
no chance of hitting Linus' tree as well?

>   Luis

MBR, Sergey