- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 7e0722b62cae..e39d25744ea2 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -24,6 +24,7 @@ #include <linux/completion.h> #include <linux/cpumask.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/reboot.h> #include <linux/syscalls.h> @@ -1224,6 +1225,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[openeuler:OLK-5.10 29872/30000] ld.lld: error: duplicate symbol: lld_dev_hold
by kernel test robot 24 Sep '24

24 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 686352476cd29ec854b93e09a49d57c25a18a32f commit: 33116132568edcf6565cfd65cfa433f440d90494 [29872/30000] drm/qxl: Add check for drm_cvt_mode config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…) compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409241604.35w0b2j4-lkp@intel.com/ Note: the openeuler/OLK-5.10 HEAD 686352476cd29ec854b93e09a49d57c25a18a32f builds fine. It only hurts bisectability. All errors (new ones prefixed by >>): >> ld.lld: error: duplicate symbol: lld_dev_hold >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a >>> defined at sss_adapter_mgmt.c >>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x20) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_put >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a >>> defined at sss_adapter_mgmt.c >>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x80) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: g_uld_mutex >>> defined at sss_pci_global.c >>> net/ethernet/3snic/sssnic/hw/sss_pci_global.o:(g_uld_mutex) in archive drivers/built-in.a >>> defined at hinic3_lld.c >>> net/ethernet/huawei/hinic3/hw/hinic3_lld.o:(.bss+0x340) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_hold >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a >>> defined at hinic3_dev_mgmt.c >>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x120) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_put >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a >>> defined at hinic3_dev_mgmt.c >>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x180) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: nic_ioctl >>> defined at hinic_nictool.c >>> net/ethernet/huawei/hinic/hinic_nictool.o:(nic_ioctl) in archive drivers/built-in.a >>> defined at hinic3_dbg.c >>> net/ethernet/huawei/hinic3/hinic3_dbg.o:(.text+0x0) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: set_slave_host_enable >>> defined at hinic_multi_host_mgmt.c >>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_slave_host_enable) in archive drivers/built-in.a >>> defined at hinic3_hwdev.c >>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x0) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: set_func_host_mode >>> defined at hinic_multi_host_mgmt.c >>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_func_host_mode) in archive drivers/built-in.a >>> defined at hinic3_hwdev.c >>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x2C0) in archive drivers/built-in.a -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index bf962051af0a..2e92e87ac0e3 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -21,6 +21,7 @@ #include <linux/completion.h> #include <linux/cpumask.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/reboot.h> #include <linux/syscalls.h> @@ -1168,6 +1169,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[PATCH OLK-6.6] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 46b9476d7582..dc294c95da21 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -18,6 +18,7 @@ #include <linux/kernel.h> #include <linux/lockdep.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/of.h> #include <linux/of_fdt.h> #include <linux/reboot.h> @@ -1839,6 +1840,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
by Zhang Kunbo 24 Sep '24

24 Sep '24

From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> mainline inclusion from mainline-v6.11-rc7 commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L CVE: CVE-2024-46738 Reference: https://lore.kernel.org/lkml/20240828154338.754746-1-david.fernandez.gonzal… -------------------------------- When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove(). Fixes: bc63dedb7d46 ("VMCI: resource object implementation.") Cc: stable(a)vger.kernel.org Reported-by: George Kennedy <george.kennedy(a)oracle.com> Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/misc/vmw_vmci/vmci_resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c index da1ee2e1ba99..2779704e128a 100644 --- a/drivers/misc/vmw_vmci/vmci_resource.c +++ b/drivers/misc/vmw_vmci/vmci_resource.c @@ -152,7 +152,8 @@ void vmci_resource_remove(struct vmci_resource *resource) spin_lock(&vmci_resource_table.lock); hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) { - if (vmci_handle_is_equal(r->handle, resource->handle)) { + if (vmci_handle_is_equal(r->handle, resource->handle) && + resource->type == r->type) { hlist_del_init_rcu(&r->node); break; } -- 2.34.1

2 1

[PATCH OLK-5.10] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 5976a25c6264..9d87e7dec5f1 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -21,6 +21,7 @@ #include <linux/completion.h> #include <linux/cpumask.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/reboot.h> #include <linux/syscalls.h> @@ -1173,6 +1174,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[PATCH OLK-6.6] hwmon: (adc128d818) Fix underflows seen when writing limit attributes
by Chen Zhongjin 24 Sep '24

24 Sep '24

From: Guenter Roeck <linux(a)roeck-us.net> stable inclusion from stable-v6.6.51 commit 6891b11a0c6227ca7ed15786928a07b1c0e4d4af category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWHX CVE: CVE-2024-46759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ] DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/hwmon/adc128d818.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c index 46e3c8c50765..73fd96799847 100644 --- a/drivers/hwmon/adc128d818.c +++ b/drivers/hwmon/adc128d818.c @@ -176,7 +176,7 @@ static ssize_t adc128_in_store(struct device *dev, mutex_lock(&data->update_lock); /* 10 mV LSB on limit registers */ - regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255); + regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10); data->in[index][nr] = regval << 4; reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr); i2c_smbus_write_byte_data(data->client, reg, regval); @@ -214,7 +214,7 @@ static ssize_t adc128_temp_store(struct device *dev, return err; mutex_lock(&data->update_lock); - regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); + regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); data->temp[index] = regval << 1; i2c_smbus_write_byte_data(data->client, index == 1 ? ADC128_REG_TEMP_MAX -- 2.25.1

2 1

[PATCH OLK-5.10] hwmon: (adc128d818) Fix underflows seen when writing limit attributes
by Chen Zhongjin 24 Sep '24

24 Sep '24

From: Guenter Roeck <linux(a)roeck-us.net> stable inclusion from stable-v5.10.226 commit 2a3add62f183459a057336381ef3a896da01ce38 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWHX CVE: CVE-2024-46759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ] DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/hwmon/adc128d818.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c index 6c9a906631b8..e73c4de9471f 100644 --- a/drivers/hwmon/adc128d818.c +++ b/drivers/hwmon/adc128d818.c @@ -176,7 +176,7 @@ static ssize_t adc128_in_store(struct device *dev, mutex_lock(&data->update_lock); /* 10 mV LSB on limit registers */ - regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255); + regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10); data->in[index][nr] = regval << 4; reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr); i2c_smbus_write_byte_data(data->client, reg, regval); @@ -214,7 +214,7 @@ static ssize_t adc128_temp_store(struct device *dev, return err; mutex_lock(&data->update_lock); - regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); + regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); data->temp[index] = regval << 1; i2c_smbus_write_byte_data(data->client, index == 1 ? ADC128_REG_TEMP_MAX -- 2.25.1

2 1

[PATCH] hwmon: (adc128d818) Fix underflows seen when writing limit attributes
by Chen Zhongjin 24 Sep '24

24 Sep '24

From: Guenter Roeck <linux(a)roeck-us.net> stable inclusion from stable-v6.6.51 commit 6891b11a0c6227ca7ed15786928a07b1c0e4d4af category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWHX CVE: CVE-2024-46759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ] DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/hwmon/adc128d818.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c index 46e3c8c50765..73fd96799847 100644 --- a/drivers/hwmon/adc128d818.c +++ b/drivers/hwmon/adc128d818.c @@ -176,7 +176,7 @@ static ssize_t adc128_in_store(struct device *dev, mutex_lock(&data->update_lock); /* 10 mV LSB on limit registers */ - regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255); + regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10); data->in[index][nr] = regval << 4; reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr); i2c_smbus_write_byte_data(data->client, reg, regval); @@ -214,7 +214,7 @@ static ssize_t adc128_temp_store(struct device *dev, return err; mutex_lock(&data->update_lock); - regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); + regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); data->temp[index] = regval << 1; i2c_smbus_write_byte_data(data->client, index == 1 ? ADC128_REG_TEMP_MAX -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] hwmon: (adc128d818) Fix underflows seen when writing limit attributes
by Chen Zhongjin 24 Sep '24

24 Sep '24

From: Guenter Roeck <linux(a)roeck-us.net> stable inclusion from stable-v4.19.322 commit 05419d0056dcf7088687e561bb583cc06deba777 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWHX CVE: CVE-2024-46759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ] DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/hwmon/adc128d818.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c index bd2ca315c9d8..5abb28cd81bf 100644 --- a/drivers/hwmon/adc128d818.c +++ b/drivers/hwmon/adc128d818.c @@ -184,7 +184,7 @@ static ssize_t adc128_set_in(struct device *dev, struct device_attribute *attr, mutex_lock(&data->update_lock); /* 10 mV LSB on limit registers */ - regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255); + regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10); data->in[index][nr] = regval << 4; reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr); i2c_smbus_write_byte_data(data->client, reg, regval); @@ -222,7 +222,7 @@ static ssize_t adc128_set_temp(struct device *dev, return err; mutex_lock(&data->update_lock); - regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); + regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); data->temp[index] = regval << 1; i2c_smbus_write_byte_data(data->client, index == 1 ? ADC128_REG_TEMP_MAX -- 2.25.1

2 1