Commit 17828f12 authored by Pei Xiao's avatar Pei Xiao Committed by Li Huafei
Browse files

hwmon: (nct6775-core) Fix overflows seen when writing limit attributes 

stable inclusion
from stable-v6.6.64
commit 685c10269c41d23d7a2b85d3fd6b6345390c8746
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGY
CVE: CVE-2024-53159

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=685c10269c41d23d7a2b85d3fd6b6345390c8746



--------------------------------

[ Upstream commit 57ee12b6c514146c19b6a159013b48727a012960 ]

DIV_ROUND_CLOSEST() after kstrtoul() results in an overflow if a large
number such as 18446744073709551615 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.

Signed-off-by: default avatarPei Xiao <xiaopei01@kylinos.cn>
Fixes: c3963bc0 ("hwmon: (nct6775) Split core and platform driver")
Message-ID: <7d5084cea33f7c0fd0578c59adfff71f93de94d9.1731375425.git.xiaopei01@kylinos.cn>
Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLi Huafei <lihuafei1@huawei.com>
parent 3567c3eb

drivers/hwmon/nct6775-core.c

+3 −4
Original line number Diff line number Diff line
@@ -2878,8 +2878,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr, 
	if (err < 0)

		return err;



	val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0,

			data->target_temp_mask);

	val = DIV_ROUND_CLOSEST(clamp_val(val, 0, data->target_temp_mask * 1000), 1000);



	mutex_lock(&data->update_lock);

	data->target_temp[nr] = val;
@@ -2959,7 +2958,7 @@ store_temp_tolerance(struct device *dev, struct device_attribute *attr, 
		return err;



	/* Limit tolerance as needed */

	val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, data->tolerance_mask);

	val = DIV_ROUND_CLOSEST(clamp_val(val, 0, data->tolerance_mask * 1000), 1000);



	mutex_lock(&data->update_lock);

	data->temp_tolerance[index][nr] = val;
@@ -3085,7 +3084,7 @@ store_weight_temp(struct device *dev, struct device_attribute *attr, 
	if (err < 0)

		return err;



	val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255);

	val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000);



	mutex_lock(&data->update_lock);

	data->weight_temp[index][nr] = val;