From: Jonathan Cameron <jic23@kernel.org>
To: Zicheng Qu <quzicheng@huawei.com>
Cc: lars@metafoo.de, Michael.Hennerich@analog.com,
patrick.vasseur@c-s.fr, christophe.leroy@c-s.fr,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
tanghui20@huawei.com, zhangqiao22@huawei.com,
judy.chenhui@huawei.com, "Nuno Sá" <noname.nuno@gmail.com>,
"Nuno Sá" <nuno.sa@analog.com>
Subject: Re: [PATCH] ad7923: fix array out of bounds in ad7923_update_scan_mode()
Date: Mon, 28 Oct 2024 20:50:14 +0000 [thread overview]
Message-ID: <20241028205004.2298af74@jic23-huawei> (raw)
In-Reply-To: <20241028142357.1032380-1-quzicheng@huawei.com>
On Mon, 28 Oct 2024 14:23:57 +0000
Zicheng Qu <quzicheng@huawei.com> wrote:
> In the ad7923_update_scan_mode() , the variable len may exceed the length
> of the st->tx_buf array, leading to an array overflow issue. The final
> value of len depends on active_scan_mask (an unsigned long) and
> num_channels-1 (an integer), with an upper limit of num_channels-1. In
> the ad7923_probe() function, when assigning to indio_dev->num_channels,
> its size is not checked. Therefore, in ad7923_update_scan_mode(), since
> active_scan_mask is an unsigned long and num_channels has no set upper
> limit, an overflow might occur.
>
> Fixes: 0eac259db28f ("IIO ADC support for AD7923")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
Thanks.
This looks to be a valid bug but a wrong fix. Fairly sure the number of channels
supported has changed at somepoint (probably with addition of more parts)
and the size of tx has not increased to match.
Nuno, could you take a look?
Jonathan
> ---
> drivers/iio/adc/ad7923.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/iio/adc/ad7923.c b/drivers/iio/adc/ad7923.c
> index 09680015a7ab..82b341709a64 100644
> --- a/drivers/iio/adc/ad7923.c
> +++ b/drivers/iio/adc/ad7923.c
> @@ -170,6 +170,8 @@ static int ad7923_update_scan_mode(struct iio_dev *indio_dev,
> * skip that one.
> */
> for_each_set_bit(i, active_scan_mask, indio_dev->num_channels - 1) {
> + if (len >= 4)
> + return -EINVAL;
> cmd = AD7923_WRITE_CR | AD7923_CHANNEL_WRITE(i) |
> AD7923_SEQUENCE_WRITE(AD7923_SEQUENCE_OFF) |
> st->settings;
next prev parent reply other threads:[~2024-10-28 20:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 14:23 [PATCH] ad7923: fix array out of bounds in ad7923_update_scan_mode() Zicheng Qu
2024-10-28 20:50 ` Jonathan Cameron [this message]
2024-10-29 8:40 ` Nuno Sá
2024-10-29 13:46 ` [PATCH v2] iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer Zicheng Qu
2024-10-31 13:54 ` Zicheng Qu
2024-10-31 14:20 ` Nuno Sá
2024-10-31 21:05 ` Jonathan Cameron
2024-11-01 1:22 ` Zicheng Qu
2024-11-04 9:13 ` Nuno Sá
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241028205004.2298af74@jic23-huawei \
--to=jic23@kernel.org \
--cc=Michael.Hennerich@analog.com \
--cc=christophe.leroy@c-s.fr \
--cc=judy.chenhui@huawei.com \
--cc=lars@metafoo.de \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=noname.nuno@gmail.com \
--cc=nuno.sa@analog.com \
--cc=patrick.vasseur@c-s.fr \
--cc=quzicheng@huawei.com \
--cc=tanghui20@huawei.com \
--cc=zhangqiao22@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox