On Sat, May 08, 2021 at 10:01:14AM -0700, Joe Perches wrote:
> On Sat, 2021-05-08 at 17:12 +0100, Jonathan Cameron wrote:
> > On Fri, 7 May 2021 19:30:41 +0100 Colin King <colin.king@xxxxxxxxxxxxx> wrote:
> []
> > > The lux_val returned from tsl2583_get_lux can potentially be zero,
> > > so check for this to avoid a division by zero and an overflowed
> > > gain_trim_val.
> []
> > > Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
> > > Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> > Definitely looks like it could happen so applied to the fixes-togreg branch of
> > iio.git and marked for stable.
> []
> > > diff --git a/drivers/iio/light/tsl2583.c b/drivers/iio/light/tsl2583.c
> []
> > > @@ -341,6 +341,14 @@ static int tsl2583_als_calibrate(struct iio_dev *indio_dev)
> > > return lux_val;
> > > }
> > >
> > > + /* Avoid division by zero of lux_value later on */
> > > + if (lux_val == 0) {
> > > + dev_err(&chip->client->dev,
> > > + "%s: lux_val of 0 will produce out of range trim_value\n",
> > > + __func__);
> > > + return -ENODATA;
> > > + }
> > > +
> > > gain_trim_val = (unsigned int)(((chip->als_settings.als_cal_target)
> > > * chip->als_settings.als_gain_trim) / lux_val);
>
> Is a multiplication overflow possible here?
These are chip->foo values and they ought to be trustworthy.
Of course, in real life, they can be set to INT_MAX in
in_illuminance_input_target_store() and tsl2583_write_raw so they can
overflow... Anyway, if we were going to add a check it would be at
the point where we get the number from the user and before we save it
to chip->
regards,
dan carpenter
