Commit 558ad4e4 authored Sep 27, 2024 by Guenter Roeck Committed by Tong Tiangen Sep 27, 2024

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

stable inclusion
from stable-v5.10.226
commit 56cfdeb2c77291f0b5e4592731adfb6ca8fc7c24
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX5F
CVE: CVE-2024-46756

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=56cfdeb2c77291f0b5e4592731adfb6ca8fc7c24



--------------------------------

[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ]

DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>

parent 6be8d57e

drivers/hwmon/w83627ehf.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -897,7 +897,7 @@ store_target_temp(struct device dev, struct device_attribute attr,
		if (err < 0)
		return err;

		val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127);
		val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000);

		mutex_lock(&data->update_lock);
		data->target_temp[nr] = val;
		@@ -922,7 +922,7 @@ store_tolerance(struct device dev, struct device_attribute attr,
		return err;

		/* Limit the temp to 0C - 15C */
		val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15);
		val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000);

		mutex_lock(&data->update_lock);
		reg = w83627ehf_read_value(data, W83627EHF_REG_TOLERANCE[nr]);