From: Dan Carpenter <dan.carpenter@linaro.org>
To: David Lechner <dlechner@baylibre.com>,
Marcelo Schmitt <marcelo.schmitt1@gmail.com>
Cc: "Michael Hennerich" <Michael.Hennerich@analog.com>,
"Jonathan Cameron" <jic23@kernel.org>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>,
"Jonathan Cameron" <Jonathan.Cameron@huawei.com>,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] iio: adc: ad7124: fix possible OOB array access
Date: Wed, 22 Oct 2025 20:18:42 +0300 [thread overview]
Message-ID: <aPkR8imukdrZLdfk@stanley.mountain> (raw)
In-Reply-To: <20251022-iio-adc-ad7124-fix-possible-oob-array-access-v1-1-2552062cc8e6@baylibre.com>
On Wed, Oct 22, 2025 at 10:15:05AM -0500, David Lechner wrote:
> Reorder the channel bounds check before using it to index into the
> channels array in ad7124_release_config_slot(). This prevents reading
> past the end of the array.
>
> The value read from invalid memory was not used, so this was mostly
> harmless,
I didn't spend a lot of time looking at the callers, but an out of bounds
read will cause a KASAN warning at runtime (hopefully) and if the page
we're reading from isn't mapped then it can cause a crash.
So, it's not like we can exploit this to get root but it potentially
could be annoying.
> but we still should not be reading out of bounds in the first place.
Thanks!
regards,
dan carpenter
next prev parent reply other threads:[~2025-10-22 17:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-22 15:15 [PATCH] iio: adc: ad7124: fix possible OOB array access David Lechner
2025-10-22 16:54 ` Marcelo Schmitt
2025-10-22 16:59 ` David Lechner
2025-10-22 17:45 ` Marcelo Schmitt
2025-10-22 17:18 ` Dan Carpenter [this message]
2025-10-27 14:27 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPkR8imukdrZLdfk@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=Michael.Hennerich@analog.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.schmitt1@gmail.com \
--cc=nuno.sa@analog.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.