[PATCH] hwmon: (adt7470) Prevent divide by zero in adt7470_fan

kernel-janitors.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write()
@ 2022-01-21  5:39 Dan Carpenter
  2022-01-21  6:10 ` Guenter Roeck
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2022-01-21  5:39 UTC (permalink / raw)
  To: Jean Delvare, Chris Packham; +Cc: Guenter Roeck, linux-hwmon, kernel-janitors

The "val" variable is controlled by the user and comes from
hwmon_attr_store().  The FAN_RPM_TO_PERIOD() macro divides by "val"
so a zero will crash the system.  Check for that and return -EINVAL.

Fixes: fc958a61ff6d ("hwmon: (adt7470) Convert to devm_hwmon_device_register_with_info API")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/hwmon/adt7470.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
index d519aca4a9d6..cd474584dc0b 100644
--- a/drivers/hwmon/adt7470.c
+++ b/drivers/hwmon/adt7470.c
@@ -662,6 +662,9 @@ static int adt7470_fan_write(struct device *dev, u32 attr, int channel, long val
 	struct adt7470_data *data = dev_get_drvdata(dev);
 	int err;
 
+	if (!val)
+		return -EINVAL;
+
 	val = FAN_RPM_TO_PERIOD(val);
 	val = clamp_val(val, 1, 65534);
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write()
  2022-01-21  5:39 [PATCH] hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write() Dan Carpenter
@ 2022-01-21  6:10 ` Guenter Roeck
  2022-01-21  7:37   ` Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: Guenter Roeck @ 2022-01-21  6:10 UTC (permalink / raw)
  To: Dan Carpenter, Jean Delvare, Chris Packham; +Cc: linux-hwmon, kernel-janitors

On 1/20/22 9:39 PM, Dan Carpenter wrote:
> The "val" variable is controlled by the user and comes from
> hwmon_attr_store().  The FAN_RPM_TO_PERIOD() macro divides by "val"
> so a zero will crash the system.  Check for that and return -EINVAL.
> 
> Fixes: fc958a61ff6d ("hwmon: (adt7470) Convert to devm_hwmon_device_register_with_info API")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>   drivers/hwmon/adt7470.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
> index d519aca4a9d6..cd474584dc0b 100644
> --- a/drivers/hwmon/adt7470.c
> +++ b/drivers/hwmon/adt7470.c
> @@ -662,6 +662,9 @@ static int adt7470_fan_write(struct device *dev, u32 attr, int channel, long val
>   	struct adt7470_data *data = dev_get_drvdata(dev);
>   	int err;
>   
> +	if (!val)
> +		return -EINVAL;
> +

Technically that restores old (pre-fc958a61ff6d) behavior, but it is still bad:
Userspace can provide a value of -1 (or any other negative number), and it will
translate to 5400000 RPM. So it should either be

	if (val <= 0)
		return -EINVAL;

or
	if (val <= 0)
		val = 1;

Thanks,
Guenter

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write()
  2022-01-21  6:10 ` Guenter Roeck
@ 2022-01-21  7:37   ` Dan Carpenter
  2022-01-21 14:03     ` Guenter Roeck
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2022-01-21  7:37 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: Jean Delvare, Chris Packham, linux-hwmon, kernel-janitors

On Thu, Jan 20, 2022 at 10:10:45PM -0800, Guenter Roeck wrote:
> On 1/20/22 9:39 PM, Dan Carpenter wrote:
> > The "val" variable is controlled by the user and comes from
> > hwmon_attr_store().  The FAN_RPM_TO_PERIOD() macro divides by "val"
> > so a zero will crash the system.  Check for that and return -EINVAL.
> > 
> > Fixes: fc958a61ff6d ("hwmon: (adt7470) Convert to devm_hwmon_device_register_with_info API")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> >   drivers/hwmon/adt7470.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
> > index d519aca4a9d6..cd474584dc0b 100644
> > --- a/drivers/hwmon/adt7470.c
> > +++ b/drivers/hwmon/adt7470.c
> > @@ -662,6 +662,9 @@ static int adt7470_fan_write(struct device *dev, u32 attr, int channel, long val
> >   	struct adt7470_data *data = dev_get_drvdata(dev);
> >   	int err;
> > +	if (!val)
> > +		return -EINVAL;
> > +
> 
> Technically that restores old (pre-fc958a61ff6d) behavior, but it is still bad:
> Userspace can provide a value of -1 (or any other negative number), and it will
> translate to 5400000 RPM. So it should either be
> 
> 	if (val <= 0)
> 		return -EINVAL;
> 
> or
> 	if (val <= 0)
> 		val = 1;

There is a clamp() which does already turn invalid values into something
valid.

	val = FAN_RPM_TO_PERIOD(val);
	val = clamp_val(val, 1, 65534);

But I will make the <= 0 return -EINVAL change and resend.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write()
  2022-01-21  7:37   ` Dan Carpenter
@ 2022-01-21 14:03     ` Guenter Roeck
  0 siblings, 0 replies; 4+ messages in thread
From: Guenter Roeck @ 2022-01-21 14:03 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Jean Delvare, Chris Packham, linux-hwmon, kernel-janitors

On 1/20/22 11:37 PM, Dan Carpenter wrote:
> On Thu, Jan 20, 2022 at 10:10:45PM -0800, Guenter Roeck wrote:
>> On 1/20/22 9:39 PM, Dan Carpenter wrote:
>>> The "val" variable is controlled by the user and comes from
>>> hwmon_attr_store().  The FAN_RPM_TO_PERIOD() macro divides by "val"
>>> so a zero will crash the system.  Check for that and return -EINVAL.
>>>
>>> Fixes: fc958a61ff6d ("hwmon: (adt7470) Convert to devm_hwmon_device_register_with_info API")
>>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>> ---
>>>    drivers/hwmon/adt7470.c | 3 +++
>>>    1 file changed, 3 insertions(+)
>>>
>>> diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
>>> index d519aca4a9d6..cd474584dc0b 100644
>>> --- a/drivers/hwmon/adt7470.c
>>> +++ b/drivers/hwmon/adt7470.c
>>> @@ -662,6 +662,9 @@ static int adt7470_fan_write(struct device *dev, u32 attr, int channel, long val
>>>    	struct adt7470_data *data = dev_get_drvdata(dev);
>>>    	int err;
>>> +	if (!val)
>>> +		return -EINVAL;
>>> +
>>
>> Technically that restores old (pre-fc958a61ff6d) behavior, but it is still bad:
>> Userspace can provide a value of -1 (or any other negative number), and it will
>> translate to 5400000 RPM. So it should either be
>>
>> 	if (val <= 0)
>> 		return -EINVAL;
>>
>> or
>> 	if (val <= 0)
>> 		val = 1;
> 
> There is a clamp() which does already turn invalid values into something
> valid.
> 

Yes, but
	-1 -> -5400000 -> 1, which translates to 5400000 rpm.
This is in contrast to
	1 -> 5400000 -> 65534
which translates to a more reasonable 82 rpm.

> 	val = FAN_RPM_TO_PERIOD(val);
> 	val = clamp_val(val, 1, 65534);
> 
> But I will make the <= 0 return -EINVAL change and resend.
> 
Thanks,
Guenter

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-01-21 14:04 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-21  5:39 [PATCH] hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write() Dan Carpenter
2022-01-21  6:10 ` Guenter Roeck
2022-01-21  7:37   ` Dan Carpenter
2022-01-21 14:03     ` Guenter Roeck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).