Commit 4c64e2fc authored by Vasileios Amoiridis's avatar Vasileios Amoiridis Committed by Hongbo Li
Browse files

iio: chemical: bme680: Fix overflows in compensate() functions 

stable inclusion
from stable-v5.10.221
commit c326551e99f5416986074ce78bef94f6a404b517
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOZ
CVE: CVE-2024-42086

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c326551e99f5416986074ce78bef94f6a404b517

--------------------------------

commit fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8 upstream.

There are cases in the compensate functions of the driver that
there could be overflows of variables due to bit shifting ops.
These implications were initially discussed here [1] and they
were mentioned in log message of Commit 1b3bd859 ("iio:
chemical: Add support for Bosch BME680 sensor").

[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/



Fixes: 1b3bd859 ("iio: chemical: Add support for Bosch BME680 sensor")
Signed-off-by: default avatarVasileios Amoiridis <vassilisamir@gmail.com>
Link: https://lore.kernel.org/r/20240606212313.207550-4-vassilisamir@gmail.com


Cc: <Stable@vger.kernel.org>
Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarHongbo Li <lihongbo22@huawei.com>
parent ec8c5f98

drivers/iio/chemical/bme680_core.c

+6 −6
Original line number Diff line number Diff line
@@ -342,10 +342,10 @@ static s16 bme680_compensate_temp(struct bme680_data *data, 
	if (!calib->par_t2)

		bme680_read_calib(data, calib);



	var1 = (adc_temp >> 3) - (calib->par_t1 << 1);

	var1 = (adc_temp >> 3) - ((s32)calib->par_t1 << 1);

	var2 = (var1 * calib->par_t2) >> 11;

	var3 = ((var1 >> 1) * (var1 >> 1)) >> 12;

	var3 = (var3 * (calib->par_t3 << 4)) >> 14;

	var3 = (var3 * ((s32)calib->par_t3 << 4)) >> 14;

	data->t_fine = var2 + var3;

	calc_temp = (data->t_fine * 5 + 128) >> 8;
@@ -368,9 +368,9 @@ static u32 bme680_compensate_press(struct bme680_data *data, 
	var1 = (data->t_fine >> 1) - 64000;

	var2 = ((((var1 >> 2) * (var1 >> 2)) >> 11) * calib->par_p6) >> 2;

	var2 = var2 + (var1 * calib->par_p5 << 1);

	var2 = (var2 >> 2) + (calib->par_p4 << 16);

	var2 = (var2 >> 2) + ((s32)calib->par_p4 << 16);

	var1 = (((((var1 >> 2) * (var1 >> 2)) >> 13) *

			(calib->par_p3 << 5)) >> 3) +

			((s32)calib->par_p3 << 5)) >> 3) +

			((calib->par_p2 * var1) >> 1);

	var1 = var1 >> 18;

	var1 = ((32768 + var1) * calib->par_p1) >> 15;
@@ -388,7 +388,7 @@ static u32 bme680_compensate_press(struct bme680_data *data, 
	var3 = ((press_comp >> 8) * (press_comp >> 8) *

			(press_comp >> 8) * calib->par_p10) >> 17;



	press_comp += (var1 + var2 + var3 + (calib->par_p7 << 7)) >> 4;

	press_comp += (var1 + var2 + var3 + ((s32)calib->par_p7 << 7)) >> 4;



	return press_comp;

}
@@ -414,7 +414,7 @@ static u32 bme680_compensate_humid(struct bme680_data *data, 
		 (((temp_scaled * ((temp_scaled * calib->par_h5) / 100))

		   >> 6) / 100) + (1 << 14))) >> 10;

	var3 = var1 * var2;

	var4 = calib->par_h6 << 7;

	var4 = (s32)calib->par_h6 << 7;

	var4 = (var4 + ((temp_scaled * calib->par_h7) / 100)) >> 4;

	var5 = ((var3 >> 14) * (var3 >> 14)) >> 10;

	var6 = (var4 * var5) >> 1;