From: PaX Team
> Sent: 26 September 2015 14:47
> hi all,
>
> drivers/usb/host/r8a66597-hcd.c:r8a66597_hub_descriptor can truncate
> r8a66597.max_root_hub (of type unsigned int) to an unsigned char:
>
> desc->bNbrPorts = r8a66597->max_root_hub;
>
> based on the surrounding code my guess is that max_root_hub can simply
> be turned into an unsigned char field as it can't hold a value bigger
> than U8_MAX. in fact its value can't be bigger than 7 anyway since
> later the code uses it like this:
>
> desc->u.hs.DeviceRemovable[0] = ((1 << r8a66597->max_root_hub) - 1) <<
> 1;
>
> can anyone tell me if this analysis is correct?
>
> FTR, this issue was detected with the upcoming version of the size overflow
> plugin we have in PaX/grsecurity and there're a handful of similar cases in
> the tree where potentially unwanted or unnecessary integer truncations occur,
> this being one of these. any opinion/help is welcome!
What do you intend doing to 'fix' these integer truncation warnings?
IMHO adding C casts makes the code unreadable and can hide more
serious errors.
If you want to detect invalid truncations you need a tool that
tracks the domain of valid values for integer types.
It might need some source code annotation on the definition of fields.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
