Commit d2583169 authored Sep 26, 2024 by Guenter Roeck Committed by Tong Tiangen Sep 26, 2024

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

stable inclusion
from stable-v4.19.322
commit 93cf73a7bfdce683bde3a7bb65f270d3bd24497b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX5F
CVE: CVE-2024-46756

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=93cf73a7bfdce683bde3a7bb65f270d3bd24497b



--------------------------------

[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ]

DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>

parent 4c94bdfb

drivers/hwmon/w83627ehf.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1519,7 +1519,7 @@ store_target_temp(struct device dev, struct device_attribute attr,
		if (err < 0)
		return err;

		val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127);
		val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000);

		mutex_lock(&data->update_lock);
		data->target_temp[nr] = val;
		@@ -1545,7 +1545,7 @@ store_tolerance(struct device dev, struct device_attribute attr,
		return err;

		/* Limit the temp to 0C - 15C */
		val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15);
		val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000);

		mutex_lock(&data->update_lock);
		if (sio_data->kind == nct6775 \|\| sio_data->kind == nct6776) {