summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorStepan Ionichev <sozdayvek@gmail.com>2026-05-10 05:35:00 +0300
committerJonathan Cameron <jic23@kernel.org>2026-05-16 13:44:51 +0300
commit8320c77e67382d5d55d77043a5f60a867d408a2b (patch)
tree24d963638a9d458843735dba84e55390135a6157 /scripts
parent1172160f2a2de7bade3bec64b8c5ecf945cde5ed (diff)
downloadlinux-8320c77e67382d5d55d77043a5f60a867d408a2b.tar.xz
iio: gyro: bmg160: bail out when bandwidth/filter is not in table
bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the entry matching the bw_bits value read from the chip: for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) { if (bmg160_samp_freq_table[i].bw_bits == bw_bits) break; } *val = bmg160_samp_freq_table[i].filter; If no entry matches, i ends up equal to the array size and the next line reads one slot past the end. bmg160_set_filter() has the same shape, driven by 'val' instead of bw_bits. smatch flags both: drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error: buffer overflow 'bmg160_samp_freq_table' 7 <= 7 drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error: buffer overflow 'bmg160_samp_freq_table' 7 <= 7 Return -EINVAL when no entry matches. The set_filter() path is reachable from userspace via the sysfs in_anglvel_filter_low_pass_3db_frequency interface, so userspace can trivially trigger the out-of-bounds read with a value that is not in bmg160_samp_freq_table[].filter. Fixes: 22b46c45fb9b ("iio:gyro:bmg160 Gyro Sensor driver") Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions