Commit 9f5796a1 authored by Guenter Roeck's avatar Guenter Roeck Committed by Xiongfeng Wang
Browse files

hwmon: (lm95234) Fix underflows seen when writing limit attributes 

mainline inclusion
from mainline-v6.11-rc1
commit af64e3e1537896337405f880c1e9ac1f8c0c6198
category: bugfix
bugzilla: hhttps://gitee.com/src-openeuler/kernel/issues/IAS0PZ
CVE: CVE-2024-46758

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=af64e3e1537896337405f880c1e9ac1f8c0c6198



--------------------------------

DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.

Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
Signed-off-by: default avatarXiongfeng Wang <wangxiongfeng2@huawei.com>
parent a5114f77

drivers/hwmon/lm95234.c

+5 −4
Original line number Diff line number Diff line
@@ -301,7 +301,8 @@ static ssize_t tcrit2_store(struct device *dev, struct device_attribute *attr, 
	if (ret < 0)

		return ret;



	val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, index ? 255 : 127);

	val = DIV_ROUND_CLOSEST(clamp_val(val, 0, (index ? 255 : 127) * 1000),

				1000);



	mutex_lock(&data->update_lock);

	data->tcrit2[index] = val;
@@ -350,7 +351,7 @@ static ssize_t tcrit1_store(struct device *dev, struct device_attribute *attr, 
	if (ret < 0)

		return ret;



	val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255);

	val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000);



	mutex_lock(&data->update_lock);

	data->tcrit1[index] = val;
@@ -391,7 +392,7 @@ static ssize_t tcrit1_hyst_store(struct device *dev, 
	if (ret < 0)

		return ret;



	val = DIV_ROUND_CLOSEST(val, 1000);

	val = DIV_ROUND_CLOSEST(clamp_val(val, -255000, 255000), 1000);

	val = clamp_val((int)data->tcrit1[index] - val, 0, 31);



	mutex_lock(&data->update_lock);
@@ -431,7 +432,7 @@ static ssize_t offset_store(struct device *dev, struct device_attribute *attr, 
		return ret;



	/* Accuracy is 1/2 degrees C */

	val = clamp_val(DIV_ROUND_CLOSEST(val, 500), -128, 127);

	val = DIV_ROUND_CLOSEST(clamp_val(val, -64000, 63500), 500);



	mutex_lock(&data->update_lock);

	data->toffset[index] = val;