Re: [PATCH 17/17] hwmon: (gl520sm) Fix overflows seen when writing into limit attributes

Tue, 13 Dec 2016 06:50:14 -0800 

On 12/13/2016 01:56 AM, Jean Delvare wrote:

On Sun,  4 Dec 2016 20:55:40 -0800, Guenter Roeck wrote:

Writes into limit attributes can overflow due to multplications
and additions with unbound input values.

Signed-off-by: Guenter Roeck <li...@roeck-us.net>
---
 drivers/hwmon/gl520sm.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/hwmon/gl520sm.c b/drivers/hwmon/gl520sm.c
index dee93ec87d02..4bb37d7234b1 100644
--- a/drivers/hwmon/gl520sm.c
+++ b/drivers/hwmon/gl520sm.c
@@ -209,10 +209,11 @@ static ssize_t get_cpu_vid(struct device *dev, struct 
device_attribute *attr,
 static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL);

 #define VDD_FROM_REG(val) (((val) * 95 + 2) / 4)
-#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255)
+#define VDD_TO_REG(val) \
+       DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 95 / 4) * 4, 95)

 #define IN_FROM_REG(val) ((val) * 19)
-#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255)
+#define IN_TO_REG(val) DIV_ROUND_CLOSEST(clamp_val(val, 0, 255 * 19), 19)

 static ssize_t get_in_input(struct device *dev, struct device_attribute *attr,
                            char *buf)
@@ -514,8 +515,8 @@ static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR,
                get_fan_off, set_fan_off);

 #define TEMP_FROM_REG(val) (((val) - 130) * 1000)
-#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \
-                       (val) - 500 : (val) + 500) / 1000) + 130), 0, 255)
+#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(clamp_val(val, -130000, 125000), \
+                                           1000) + 130)

 static ssize_t get_temp_input(struct device *dev, struct device_attribute 
*attr,
                              char *buf)


Reviewed-by: Jean Delvare <jdelv...@suse.de>

But I think FAN_TO_REG can overflow too? Input value is left-shifted
without a prior check.


You are right. My older script didn't detect that because the overflow happens
with a very low value, and the script just concluded that the value range was 
[0,0].

After improving my test script, the driver generates KASAN bad memory reports.
Outch. I'll have to look into that.

Thanks,
Guenter

--
To unsubscribe from this list: send the line "unsubscribe linux-hwmon" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to