From: David Lechner <dlechner@baylibre.com>
To: gerben@altlinux.org, jagathjog1996@gmail.com
Cc: jic23@kernel.org, nuno.sa@analog.com, andy@kernel.org,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org
Subject: Re: [PATCH] iio: imu: bmi323: Fix potential out-of-bounds access of bmi323_hw[]
Date: Sat, 11 Apr 2026 14:28:07 -0500 [thread overview]
Message-ID: <ceb7a191-2e6d-4711-b108-e91a2fcaf2d7@baylibre.com> (raw)
In-Reply-To: <20260327103202.459143-1-gerben@altlinux.org>
On 3/27/26 5:32 AM, gerben@altlinux.org wrote:
> From: Denis Rastyogin <gerben@altlinux.org>
>
> The bmi323_channels[] array defines a channel with chan->type =
> IIO_TEMP and enables the IIO_CHAN_INFO_SCALE mask. As a result,
> bmi323_write_raw() may be called for this channel. However,
> bmi323_iio_to_sensor() returns -EINVAL for IIO_TEMP, and if this
> value is not validated, it can lead to an out-of-bounds access
> when used as an array index.
>
> A similar case is properly handled in bmi323_read_raw() and does
> not result in an error.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 8a636db3aa57 ("iio: imu: Add driver for BMI323 IMU")
> Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
> ---
> drivers/iio/imu/bmi323/bmi323_core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/iio/imu/bmi323/bmi323_core.c b/drivers/iio/imu/bmi323/bmi323_core.c
> index 6bcb9a436581..64ead4f667e0 100644
> --- a/drivers/iio/imu/bmi323/bmi323_core.c
> +++ b/drivers/iio/imu/bmi323/bmi323_core.c
> @@ -1713,6 +1713,8 @@ static int bmi323_write_raw(struct iio_dev *indio_dev,
> iio_device_release_direct(indio_dev);
> return ret;
> case IIO_CHAN_INFO_SCALE:
> + if (chan->type == IIO_TEMP)
> + return -EINVAL;
> if (!iio_device_claim_direct(indio_dev))
> return -EBUSY;
> ret = bmi323_set_scale(data, bmi323_iio_to_sensor(chan->type),
This is OK, but why not check and propagate the error return?
case IIO_CHAN_INFO_SCALE:
ret = bmi323_iio_to_sensor(chan->type);
if (ret < 0)
return ret;
if (!iio_device_claim_direct(indio_dev))
return -EBUSY;
ret = bmi323_set_scale(data, ret, val, val2);
...
And even if we shouldn't hit the error in other case statements,
it seems like it would be good practice to still check for error
there too.
prev parent reply other threads:[~2026-04-11 19:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 10:32 [PATCH] iio: imu: bmi323: Fix potential out-of-bounds access of bmi323_hw[] gerben
2026-04-11 19:28 ` David Lechner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ceb7a191-2e6d-4711-b108-e91a2fcaf2d7@baylibre.com \
--to=dlechner@baylibre.com \
--cc=andy@kernel.org \
--cc=gerben@altlinux.org \
--cc=jagathjog1996@gmail.com \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=nuno.sa@analog.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox