Commit 11586047 authored by Ricardo Ribalda's avatar Ricardo Ribalda Committed by openeuler-sync-bot
Browse files

media: dvb-frontends: tda10048: Fix integer overflow 

stable inclusion
from stable-v5.10.222
commit e1ba22618758e95e09c9fd30c69ccce38edf94c0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGSNO
CVE: CVE-2024-42223

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e1ba22618758e95e09c9fd30c69ccce38edf94c0

--------------------------------

[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ]

state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer
when multiplied by pll_mfactor.

Create a new 64 bit variable to hold the calculations.

Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org


Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: default avatarRicardo Ribalda <ribalda@chromium.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarYi Yang <yiyang13@huawei.com>
(cherry picked from commit 53366093)
parent bab2755e

drivers/media/dvb-frontends/tda10048.c

+6 −3
Original line number Diff line number Diff line
@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) 
	struct tda10048_config *config = &state->config;

	int i;

	u32 if_freq_khz;

	u64 sample_freq;



	dprintk(1, "%s(bw = %d)\n", __func__, bw);
@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) 
	dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor);



	/* Calculate the sample frequency */

	state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45);

	state->sample_freq /= (state->pll_nfactor + 1);

	state->sample_freq /= (state->pll_pfactor + 4);

	sample_freq = state->xtal_hz;

	sample_freq *= state->pll_mfactor + 45;

	do_div(sample_freq, state->pll_nfactor + 1);

	do_div(sample_freq, state->pll_pfactor + 4);

	state->sample_freq = sample_freq;

	dprintk(1, "- sample_freq = %d\n", state->sample_freq);



	/* Update the I/F */