Date: Thu, 30 Jan 2020 18:12:24 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r357300 - head/sys/dev/aic7xxx Message-ID: <202001301812.00UICOXS044235@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Thu Jan 30 18:12:24 2020 New Revision: 357300 URL: https://svnweb.freebsd.org/changeset/base/357300 Log: aic7xxx(4): Fix unintended sign extension in ahd_inq() ahd_inb() returns type uint8_t. The shift left by untyped 24 implicitly promotes the result to type (signed) int. Then the binary OR with uint64_t values sign-extends the integer. If bit 31 of the read value happened to be set, the 64-bit result would have all upper 32 bits set to 1 due to OR. This is clearly not intended. Reported by: Coverity CID: 980473 (old one!) Modified: head/sys/dev/aic7xxx/aic79xx_inline.h Modified: head/sys/dev/aic7xxx/aic79xx_inline.h ============================================================================== --- head/sys/dev/aic7xxx/aic79xx_inline.h Thu Jan 30 17:50:51 2020 (r357299) +++ head/sys/dev/aic7xxx/aic79xx_inline.h Thu Jan 30 18:12:24 2020 (r357300) @@ -567,7 +567,7 @@ ahd_inq(struct ahd_softc *ahd, u_int port) return ((ahd_inb(ahd, port)) | (ahd_inb(ahd, port+1) << 8) | (ahd_inb(ahd, port+2) << 16) - | (ahd_inb(ahd, port+3) << 24) + | (((uint64_t)ahd_inb(ahd, port+3)) << 24) | (((uint64_t)ahd_inb(ahd, port+4)) << 32) | (((uint64_t)ahd_inb(ahd, port+5)) << 40) | (((uint64_t)ahd_inb(ahd, port+6)) << 48)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001301812.00UICOXS044235>