On Fri, 2 May 2025 at 10:40, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> The "val->intval" variable is an integer which comes from the user. This
> code has an upper bounds check but the lower bounds check was
> accidentally omitted. The write_to_ec() take a u8 value as a parameter
> so negative values would be truncated to positive values in the 0-255
> range.
>
> Return -EINVAL if the user passes a negative value.
>
> Fixes: 202593d1e86b ("platform/x86: oxpec: Add charge threshold and behaviour to OneXPlayer")
Reviewed-by: Antheas Kapenekakis <lkml@xxxxxxxxxxx>
Thanks,
Antheas
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/platform/x86/oxpec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/oxpec.c b/drivers/platform/x86/oxpec.c
> index 4b48f4571b09..de70ca7e8493 100644
> --- a/drivers/platform/x86/oxpec.c
> +++ b/drivers/platform/x86/oxpec.c
> @@ -582,7 +582,7 @@ static int oxp_psy_ext_set_prop(struct power_supply *psy,
>
> switch (psp) {
> case POWER_SUPPLY_PROP_CHARGE_CONTROL_END_THRESHOLD:
> - if (val->intval > 100)
> + if (val->intval < 0 || val->intval > 100)
> return -EINVAL;
> return write_to_ec(OXP_X1_CHARGE_LIMIT_REG, val->intval);
> case POWER_SUPPLY_PROP_CHARGE_BEHAVIOUR:
> --
> 2.47.2
>
