| Message ID | 1480913740-5678-17-git-send-email-linux@roeck-us.net (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Sun, 4 Dec 2016 20:55:40 -0800, Guenter Roeck wrote: > Writes into limit attributes can overflow due to multplications > and additions with unbound input values. > > Signed-off-by: Guenter Roeck <linux@roeck-us.net> > --- > drivers/hwmon/gl520sm.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/hwmon/gl520sm.c b/drivers/hwmon/gl520sm.c > index dee93ec87d02..4bb37d7234b1 100644 > --- a/drivers/hwmon/gl520sm.c > +++ b/drivers/hwmon/gl520sm.c > @@ -209,10 +209,11 @@ static ssize_t get_cpu_vid(struct device *dev, struct device_attribute *attr, > static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL); > > #define VDD_FROM_REG(val) (((val) * 95 + 2) / 4) > -#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255) > +#define VDD_TO_REG(val) \ > + DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 95 / 4) * 4, 95) > > #define IN_FROM_REG(val) ((val) * 19) > -#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255) > +#define IN_TO_REG(val) DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 19), 19) > > static ssize_t get_in_input(struct device *dev, struct device_attribute *attr, > char *buf) > @@ -514,8 +515,8 @@ static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR, > get_fan_off, set_fan_off); > > #define TEMP_FROM_REG(val) (((val) - 130) * 1000) > -#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \ > - (val) - 500 : (val) + 500) / 1000) + 130), 0, 255) > +#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(clamp_val(val, -130000, 125000), \ > + 1000) + 130) > > static ssize_t get_temp_input(struct device *dev, struct device_attribute *attr, > char *buf) Reviewed-by: Jean Delvare <jdelvare@suse.de> But I think FAN_TO_REG can overflow too? Input value is left-shifted without a prior check.
On 12/13/2016 01:56 AM, Jean Delvare wrote: > On Sun, 4 Dec 2016 20:55:40 -0800, Guenter Roeck wrote: >> Writes into limit attributes can overflow due to multplications >> and additions with unbound input values. >> >> Signed-off-by: Guenter Roeck <linux@roeck-us.net> >> --- >> drivers/hwmon/gl520sm.c | 9 +++++---- >> 1 file changed, 5 insertions(+), 4 deletions(-) >> >> diff --git a/drivers/hwmon/gl520sm.c b/drivers/hwmon/gl520sm.c >> index dee93ec87d02..4bb37d7234b1 100644 >> --- a/drivers/hwmon/gl520sm.c >> +++ b/drivers/hwmon/gl520sm.c >> @@ -209,10 +209,11 @@ static ssize_t get_cpu_vid(struct device *dev, struct device_attribute *attr, >> static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL); >> >> #define VDD_FROM_REG(val) (((val) * 95 + 2) / 4) >> -#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255) >> +#define VDD_TO_REG(val) \ >> + DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 95 / 4) * 4, 95) >> >> #define IN_FROM_REG(val) ((val) * 19) >> -#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255) >> +#define IN_TO_REG(val) DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 19), 19) >> >> static ssize_t get_in_input(struct device *dev, struct device_attribute *attr, >> char *buf) >> @@ -514,8 +515,8 @@ static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR, >> get_fan_off, set_fan_off); >> >> #define TEMP_FROM_REG(val) (((val) - 130) * 1000) >> -#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \ >> - (val) - 500 : (val) + 500) / 1000) + 130), 0, 255) >> +#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(clamp_val(val, -130000, 125000), \ >> + 1000) + 130) >> >> static ssize_t get_temp_input(struct device *dev, struct device_attribute *attr, >> char *buf) > > Reviewed-by: Jean Delvare <jdelvare@suse.de> > > But I think FAN_TO_REG can overflow too? Input value is left-shifted > without a prior check. > You are right. My older script didn't detect that because the overflow happens with a very low value, and the script just concluded that the value range was [0,0]. After improving my test script, the driver generates KASAN bad memory reports. Outch. I'll have to look into that. Thanks, Guenter -- To unsubscribe from this list: send the line "unsubscribe linux-hwmon" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/hwmon/gl520sm.c b/drivers/hwmon/gl520sm.c index dee93ec87d02..4bb37d7234b1 100644 --- a/drivers/hwmon/gl520sm.c +++ b/drivers/hwmon/gl520sm.c @@ -209,10 +209,11 @@ static ssize_t get_cpu_vid(struct device *dev, struct device_attribute *attr, static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL); #define VDD_FROM_REG(val) (((val) * 95 + 2) / 4) -#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255) +#define VDD_TO_REG(val) \ + DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 95 / 4) * 4, 95) #define IN_FROM_REG(val) ((val) * 19) -#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255) +#define IN_TO_REG(val) DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 19), 19) static ssize_t get_in_input(struct device *dev, struct device_attribute *attr, char *buf) @@ -514,8 +515,8 @@ static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR, get_fan_off, set_fan_off); #define TEMP_FROM_REG(val) (((val) - 130) * 1000) -#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \ - (val) - 500 : (val) + 500) / 1000) + 130), 0, 255) +#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(clamp_val(val, -130000, 125000), \ + 1000) + 130) static ssize_t get_temp_input(struct device *dev, struct device_attribute *attr, char *buf)
Writes into limit attributes can overflow due to multplications and additions with unbound input values. Signed-off-by: Guenter Roeck <linux@roeck-us.net> --- drivers/hwmon/gl520sm.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)