[PATCH] HID: amd_sfh: Increase bitwidth to avoid shift-out-of-bounds
From: Kai-Heng Feng
Date: Tue Jul 04 2023 - 04:18:26 EST
UBSAN complains shift-out-of-bounds on amd_sfh:
[ 7.593412] input: SYNA3105:00 06CB:CEA3 Mouse as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input11
[ 7.593541] input: SYNA3105:00 06CB:CEA3 Touchpad as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input12
[ 7.593625] hid-multitouch 0018:06CB:CEA3.0001: input,hidraw0: I2C HID v1.00 Mouse [SYNA3105:00 06CB:CEA3] on i2c-SYNA3105:00
[ 7.664537] ================================================================================
[ 7.664540] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
[ 7.664544] shift exponent 103 is too large for 64-bit type 'long unsigned int'
[ 7.664547] CPU: 5 PID: 124 Comm: kworker/5:1 Tainted: G W 6.4.0-next-20230703 #1
[ 7.664549] Hardware name: HP HP EliteBook 835 13 inch G10 Notebook PC/8C10, BIOS V83 Ver. 01.01.09 06/05/2023
[ 7.664551] Workqueue: events amd_sfh_work_buffer [amd_sfh]
[ 7.664562] Call Trace:
[ 7.664564] <TASK>
[ 7.664567] dump_stack_lvl+0x48/0x70
[ 7.664576] dump_stack+0x10/0x20
[ 7.664578] __ubsan_handle_shift_out_of_bounds+0x156/0x310
[ 7.664584] ? sched_clock_noinstr+0x9/0x10
[ 7.664589] ? sched_clock_cpu+0x12/0x1d0
[ 7.664594] ? raw_spin_rq_lock_nested+0x1e/0xa0
[ 7.664597] ? psi_group_change+0x237/0x520
[ 7.664600] float_to_int.cold+0x18/0xcf [amd_sfh]
[ 7.664606] ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]
[ 7.664611] get_input_rep+0x241/0x340 [amd_sfh]
[ 7.664617] amd_sfh_work_buffer+0x91/0x190 [amd_sfh]
[ 7.664622] process_one_work+0x229/0x450
[ 7.664627] worker_thread+0x50/0x3f0
[ 7.664629] ? __pfx_worker_thread+0x10/0x10
[ 7.664632] kthread+0xf4/0x130
[ 7.664635] ? __pfx_kthread+0x10/0x10
[ 7.664638] ret_from_fork+0x29/0x50
[ 7.664644] </TASK>
[ 7.664652] ================================================================================
So increase the variable bitwidth to solve the issue.
Signed-off-by: Kai-Heng Feng <kai.heng.feng@xxxxxxxxxxxxx>
---
drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
index 6f0d332ccf51..550639ef8bfe 100644
--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
+++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
@@ -134,7 +134,8 @@ static void get_common_inputs(struct common_input_property *common, int report_i
static int float_to_int(u32 float32)
{
- int fraction, shift, mantissa, sign, exp, zeropre;
+ int fraction, shift, sign, exp, zeropre;
+ s128 mantissa;
mantissa = float32 & GENMASK(22, 0);
sign = (float32 & BIT(31)) ? -1 : 1;
--
2.34.1