Re: [PATCH v2] iio: imu: bmi323: Fix potential out-of-bounds access of bmi323_hw[]

Next message: Takashi Iwai: "Re: [PATCH] ALSA: Consistently define pci_device_ids using named initializers"
Previous message: Peter Zijlstra: "Re: [PATCH RESEND] sched/fair: Fix overflow in vruntime_eligible()"
In reply to: gerben: "[PATCH v2] iio: imu: bmi323: Fix potential out-of-bounds access of bmi323_hw[]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Mon May 04 2026 - 07:23:41 EST

On Mon, May 04, 2026 at 02:19:46PM +0300, gerben@xxxxxxxxxxxx wrote:

> The bmi323_channels[] array defines a channel with chan->type =
> IIO_TEMP and enables the IIO_CHAN_INFO_SCALE mask. As a result,
> bmi323_write_raw() may be called for this channel. However,
> bmi323_iio_to_sensor() returns -EINVAL for IIO_TEMP, and if this
> value is not validated, it can lead to an out-of-bounds access
> when used as an array index.
>
> A similar case is properly handled in bmi323_read_raw() and does
> not result in an error.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.

...

> case IIO_CHAN_INFO_SAMP_FREQ:
> + ret = bmi323_iio_to_sensor(chan->type);
> + if (ret < 0)
> + return ret;
> +
> if (!iio_device_claim_direct(indio_dev))
> return -EBUSY;
> - ret = bmi323_set_odr(data, bmi323_iio_to_sensor(chan->type),
> - val, val2);
> + ret = bmi323_set_odr(data, ret, val, val2);

ret = foo(ret) is a bad style.

> iio_device_release_direct(indio_dev);
> return ret;

--
With Best Regards,
Andy Shevchenko