diff options
| author | Stepan Ionichev <sozdayvek@gmail.com> | 2026-05-10 05:35:00 +0300 |
|---|---|---|
| committer | Jonathan Cameron <jic23@kernel.org> | 2026-05-16 13:44:51 +0300 |
| commit | 8320c77e67382d5d55d77043a5f60a867d408a2b (patch) | |
| tree | 24d963638a9d458843735dba84e55390135a6157 /scripts | |
| parent | 1172160f2a2de7bade3bec64b8c5ecf945cde5ed (diff) | |
| download | linux-8320c77e67382d5d55d77043a5f60a867d408a2b.tar.xz | |
iio: gyro: bmg160: bail out when bandwidth/filter is not in table
bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the entry
matching the bw_bits value read from the chip:
for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
break;
}
*val = bmg160_samp_freq_table[i].filter;
If no entry matches, i ends up equal to the array size and the next line
reads one slot past the end. bmg160_set_filter() has the same shape, driven
by 'val' instead of bw_bits.
smatch flags both:
drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7
drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
buffer overflow 'bmg160_samp_freq_table' 7 <= 7
Return -EINVAL when no entry matches.
The set_filter() path is reachable from userspace via the sysfs
in_anglvel_filter_low_pass_3db_frequency interface, so userspace can
trivially trigger the out-of-bounds read with a value that is not in
bmg160_samp_freq_table[].filter.
Fixes: 22b46c45fb9b ("iio:gyro:bmg160 Gyro Sensor driver")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions
