lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 10 May 2021 09:59:28 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Joe Perches <joe@...ches.com>
Cc:     Jonathan Cameron <jic23@...nel.org>,
        Colin King <colin.king@...onical.com>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Jon Brenner <jbrenner@...sinc.com>, linux-iio@...r.kernel.org,
        clang-built-linux@...glegroups.com,
        kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iio: tsl2583: Fix division by a zero lux_val

On Sat, May 08, 2021 at 10:01:14AM -0700, Joe Perches wrote:
> On Sat, 2021-05-08 at 17:12 +0100, Jonathan Cameron wrote:
> > On Fri,  7 May 2021 19:30:41 +0100 Colin King <colin.king@...onical.com> wrote:
> []
> > > The lux_val returned from tsl2583_get_lux can potentially be zero,
> > > so check for this to avoid a division by zero and an overflowed
> > > gain_trim_val.
> []
> > > Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
> > > Signed-off-by: Colin Ian King <colin.king@...onical.com>
> > Definitely looks like it could happen so applied to the fixes-togreg branch of
> > iio.git and marked for stable.
> []
> > > diff --git a/drivers/iio/light/tsl2583.c b/drivers/iio/light/tsl2583.c
> []
> > > @@ -341,6 +341,14 @@ static int tsl2583_als_calibrate(struct iio_dev *indio_dev)
> > >  		return lux_val;
> > >  	}
> > > 
> > > +	/* Avoid division by zero of lux_value later on */
> > > +	if (lux_val == 0) {
> > > +		dev_err(&chip->client->dev,
> > > +			"%s: lux_val of 0 will produce out of range trim_value\n",
> > > +			__func__);
> > > +		return -ENODATA;
> > > +	}
> > > +
> > >  	gain_trim_val = (unsigned int)(((chip->als_settings.als_cal_target)
> > >  			* chip->als_settings.als_gain_trim) / lux_val);
> 
> Is a multiplication overflow possible here?

These are chip->foo values and they ought to be trustworthy.

Of course, in real life, they can be set to INT_MAX in
in_illuminance_input_target_store() and tsl2583_write_raw so they can
overflow...  Anyway, if we were going to add a check it would be at
the point where we get the number from the user and before we save it
to chip->

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ