[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230423141124.3d4dc91d@jic23-huawei>
Date: Sun, 23 Apr 2023 14:11:24 +0100
From: Jonathan Cameron <jic23@...nel.org>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Patrik Dahlström <risca@...akolonin.se>,
Lars-Peter Clausen <lars@...afoo.de>,
linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] iio: adc: palmas: fix off by one bugs
On Fri, 21 Apr 2023 13:41:56 +0300
Dan Carpenter <dan.carpenter@...aro.org> wrote:
> Valid values for "adc_chan" are zero to (PALMAS_ADC_CH_MAX - 1).
> Smatch detects some buffer overflows caused by this:
> drivers/iio/adc/palmas_gpadc.c:721 palmas_gpadc_read_event_value() error: buffer overflow 'adc->thresholds' 16 <= 16
> drivers/iio/adc/palmas_gpadc.c:758 palmas_gpadc_write_event_value() error: buffer overflow 'adc->thresholds' 16 <= 16
>
> The effect of this bug in other functions is more complicated but
> obviously we should fix all of them.
>
> Fixes: a99544c6c883 ("iio: adc: palmas: add support for iio threshold events")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
Looks good to me. Slight shuffle at the moment will delay me applying this.
I'll wait for Linus to pick up Greg's pull request then rebase my fixes branch
on top of that. Otherwise I make a mess of linux-next ordering and things might
blow up.
In meantime, Patrik, please take a look.
Jonathan
> ---
> ---
> drivers/iio/adc/palmas_gpadc.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iio/adc/palmas_gpadc.c b/drivers/iio/adc/palmas_gpadc.c
> index c1c439215aeb..7dfc9c927a23 100644
> --- a/drivers/iio/adc/palmas_gpadc.c
> +++ b/drivers/iio/adc/palmas_gpadc.c
> @@ -547,7 +547,7 @@ static int palmas_gpadc_read_raw(struct iio_dev *indio_dev,
> int adc_chan = chan->channel;
> int ret = 0;
>
> - if (adc_chan > PALMAS_ADC_CH_MAX)
> + if (adc_chan >= PALMAS_ADC_CH_MAX)
> return -EINVAL;
>
> mutex_lock(&adc->lock);
> @@ -595,7 +595,7 @@ static int palmas_gpadc_read_event_config(struct iio_dev *indio_dev,
> int adc_chan = chan->channel;
> int ret = 0;
>
> - if (adc_chan > PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> + if (adc_chan >= PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> return -EINVAL;
>
> mutex_lock(&adc->lock);
> @@ -684,7 +684,7 @@ static int palmas_gpadc_write_event_config(struct iio_dev *indio_dev,
> int adc_chan = chan->channel;
> int ret;
>
> - if (adc_chan > PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> + if (adc_chan >= PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> return -EINVAL;
>
> mutex_lock(&adc->lock);
> @@ -710,7 +710,7 @@ static int palmas_gpadc_read_event_value(struct iio_dev *indio_dev,
> int adc_chan = chan->channel;
> int ret;
>
> - if (adc_chan > PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> + if (adc_chan >= PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> return -EINVAL;
>
> mutex_lock(&adc->lock);
> @@ -744,7 +744,7 @@ static int palmas_gpadc_write_event_value(struct iio_dev *indio_dev,
> int old;
> int ret;
>
> - if (adc_chan > PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> + if (adc_chan >= PALMAS_ADC_CH_MAX || type != IIO_EV_TYPE_THRESH)
> return -EINVAL;
>
> mutex_lock(&adc->lock);
Powered by blists - more mailing lists