[PATCH] iio: chemical: mhz19b: reject oversized serial replies

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] iio: chemical: mhz19b: reject oversized serial replies
@ 2026-04-02  5:40 Pengpeng Hou
  2026-04-02  8:39 ` Andy Shevchenko
  2026-04-03 17:31 ` Gyeyoung Baek
  0 siblings, 2 replies; 4+ messages in thread
From: Pengpeng Hou @ 2026-04-02  5:40 UTC (permalink / raw)
  To: Gyeyoung Baek, Jonathan Cameron
  Cc: David Lechner, Nuno Sá, Andy Shevchenko, linux-iio,
	linux-kernel, pengpeng, stable

mhz19b_receive_buf() appends each serdev chunk into the fixed
MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
checking that the chunk fits in the remaining space. A large callback
can therefore overflow st->buf before the command path validates the
reply.

Reset the reply state before each command and reject oversized serial
replies before copying them into the fixed buffer. When an oversized
reply is detected, wake the waiter and report -EMSGSIZE instead of
overwriting st->buf.

Fixes: 4572a70b3681 ("iio: chemical: Add support for Winsen MHZ19B CO2 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/iio/chemical/mhz19b.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/drivers/iio/chemical/mhz19b.c b/drivers/iio/chemical/mhz19b.c
index 3c64154918b1..90c997191c83 100644
--- a/drivers/iio/chemical/mhz19b.c
+++ b/drivers/iio/chemical/mhz19b.c
@@ -52,6 +52,7 @@ struct mhz19b_state {
 	struct completion buf_ready;
 
 	u8 buf_idx;
+	bool buf_overflow;
 	/*
 	 * Serdev receive buffer.
 	 * When data is received from the MH-Z19B,
@@ -106,6 +107,10 @@ static int mhz19b_serdev_cmd(struct iio_dev *indio_dev, int cmd, u16 arg)
 	cmd_buf[8] = mhz19b_get_checksum(cmd_buf);
 
 	/* Write buf to uart ctrl synchronously */
+	st->buf_idx = 0;
+	st->buf_overflow = false;
+	reinit_completion(&st->buf_ready);
+
 	ret = serdev_device_write(serdev, cmd_buf, MHZ19B_CMD_SIZE, 0);
 	if (ret < 0)
 		return ret;
@@ -121,6 +126,9 @@ static int mhz19b_serdev_cmd(struct iio_dev *indio_dev, int cmd, u16 arg)
 		if (!ret)
 			return -ETIMEDOUT;
 
+		if (st->buf_overflow)
+			return -EMSGSIZE;
+
 		if (st->buf[8] != mhz19b_get_checksum(st->buf)) {
 			dev_err(dev, "checksum err");
 			return -EINVAL;
@@ -240,6 +248,14 @@ static size_t mhz19b_receive_buf(struct serdev_device *serdev,
 {
 	struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
 	struct mhz19b_state *st = iio_priv(indio_dev);
+	size_t remaining = MHZ19B_CMD_SIZE - st->buf_idx;
+
+	if (len > remaining) {
+		st->buf_idx = 0;
+		st->buf_overflow = true;
+		complete(&st->buf_ready);
+		return len;
+	}
 
 	memcpy(st->buf + st->buf_idx, data, len);
 	st->buf_idx += len;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies
  2026-04-02  5:40 [PATCH] iio: chemical: mhz19b: reject oversized serial replies Pengpeng Hou
@ 2026-04-02  8:39 ` Andy Shevchenko
  2026-04-12 15:16   ` Jonathan Cameron
  2026-04-03 17:31 ` Gyeyoung Baek
  1 sibling, 1 reply; 4+ messages in thread
From: Andy Shevchenko @ 2026-04-02  8:39 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: Gyeyoung Baek, Jonathan Cameron, David Lechner, Nuno Sá,
	Andy Shevchenko, linux-iio, linux-kernel, stable

On Thu, Apr 02, 2026 at 01:40:15PM +0800, Pengpeng Hou wrote:
> mhz19b_receive_buf() appends each serdev chunk into the fixed
> MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> checking that the chunk fits in the remaining space. A large callback
> can therefore overflow st->buf before the command path validates the
> reply.
> 
> Reset the reply state before each command and reject oversized serial
> replies before copying them into the fixed buffer. When an oversized
> reply is detected, wake the waiter and report -EMSGSIZE instead of
> overwriting st->buf.

...

>  	struct completion buf_ready;
>  
>  	u8 buf_idx;
> +	bool buf_overflow;

+ blank line here.

(No need to resend just for this.)

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies
  2026-04-02  8:39 ` Andy Shevchenko
@ 2026-04-12 15:16   ` Jonathan Cameron
  0 siblings, 0 replies; 4+ messages in thread
From: Jonathan Cameron @ 2026-04-12 15:16 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: Pengpeng Hou, Gyeyoung Baek, David Lechner, Nuno Sá,
	Andy Shevchenko, linux-iio, linux-kernel, stable

On Thu, 2 Apr 2026 11:39:04 +0300
Andy Shevchenko <andriy.shevchenko@intel.com> wrote:

> On Thu, Apr 02, 2026 at 01:40:15PM +0800, Pengpeng Hou wrote:
> > mhz19b_receive_buf() appends each serdev chunk into the fixed
> > MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> > checking that the chunk fits in the remaining space. A large callback
> > can therefore overflow st->buf before the command path validates the
> > reply.
> > 
> > Reset the reply state before each command and reject oversized serial
> > replies before copying them into the fixed buffer. When an oversized
> > reply is detected, wake the waiter and report -EMSGSIZE instead of
> > overwriting st->buf.  
> 
> ...
> 
> >  	struct completion buf_ready;
> >  
> >  	u8 buf_idx;
> > +	bool buf_overflow;  
> 
> + blank line here.
> 
> (No need to resend just for this.)
> 

This version addressed the comment I just made on v2 so all good.

I tweaked whilst applying.
Applied to the fixes-togreg branch of iio.git.

Note I'm unlikely to send another fixes pull request this cycle, so
I'll rebase that branch on rc1 once available and send out then.

Thanks,

Jonathan

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies
  2026-04-02  5:40 [PATCH] iio: chemical: mhz19b: reject oversized serial replies Pengpeng Hou
  2026-04-02  8:39 ` Andy Shevchenko
@ 2026-04-03 17:31 ` Gyeyoung Baek
  1 sibling, 0 replies; 4+ messages in thread
From: Gyeyoung Baek @ 2026-04-03 17:31 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: Jonathan Cameron, David Lechner, Nuno Sá, Andy Shevchenko,
	linux-iio, linux-kernel, stable

Hello,

On Thu, Apr 2, 2026 at 2:40 PM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> mhz19b_receive_buf() appends each serdev chunk into the fixed
> MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> checking that the chunk fits in the remaining space. A large callback
> can therefore overflow st->buf before the command path validates the
> reply.
>
> Reset the reply state before each command and reject oversized serial
> replies before copying them into the fixed buffer. When an oversized
> reply is detected, wake the waiter and report -EMSGSIZE instead of
> overwriting st->buf.
>

Acked-by: Gyeyoung Baek <gye976@gmail.com>

-- 
Thanks,
Gyeyoung

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-12 15:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-02  5:40 [PATCH] iio: chemical: mhz19b: reject oversized serial replies Pengpeng Hou
2026-04-02  8:39 ` Andy Shevchenko
2026-04-12 15:16   ` Jonathan Cameron
2026-04-03 17:31 ` Gyeyoung Baek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox