Re: [PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index
From: Jonathan Cameron
Date: Fri May 15 2026 - 10:33:36 EST
On Fri, 15 May 2026 08:17:18 +1300
"Javier Carrasco" <javier.carrasco.cruz@xxxxxxxxx> wrote:
> On Fri May 15, 2026 at 5:23 AM +13, Greg Kroah-Hartman wrote:
> > From: Sam Daly <sam@xxxxxxxxxx>
> >
> > veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield
> > values 0-7. If it returns a value >= 5, this causes an
> > out-of-bounds array access. Add a bounds check and return
> > -EINVAL if the index is out of range.
I'd prefer it if this sort of change called out that we don't expect
to ever see those values except when we have bus corruption or
a broken device. Good to protect against but that info might help
folk decide whether to backport or not.
I'll add a note whilst applying. Applied to the fixes-togreg
branch of iio.git. I also rewrapped the description as 60 chars
is rather short.
Applied
Jonathan
> >
> > Assisted-by: gkh_clanker_2000
> > Cc: stable <stable@xxxxxxxxxx>
> > Cc: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
> > Cc: Jonathan Cameron <jic23@xxxxxxxxxx>
> > Cc: David Lechner <dlechner@xxxxxxxxxxxx>
> > Cc: "Nuno Sá" <nuno.sa@xxxxxxxxxx>
> > Cc: Andy Shevchenko <andy@xxxxxxxxxx>
> > Signed-off-by: Sam Daly <sam@xxxxxxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > ---
> > drivers/iio/light/veml6075.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/iio/light/veml6075.c b/drivers/iio/light/veml6075.c
> > index edbb43407054..f7eb159e5cb4 100644
> > --- a/drivers/iio/light/veml6075.c
> > +++ b/drivers/iio/light/veml6075.c
> > @@ -100,7 +100,7 @@ static const struct iio_chan_spec veml6075_channels[] = {
> >
> > static int veml6075_request_measurement(struct veml6075_data *data)
> > {
> > - int ret, conf, int_time;
> > + int ret, conf, int_time, int_index;
> >
> > ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf);
> > if (ret < 0)
> > @@ -117,7 +117,11 @@ static int veml6075_request_measurement(struct veml6075_data *data)
> > * time for all possible configurations. Using a 1.50 factor simplifies
> > * operations and ensures reliability under all circumstances.
> > */
> > - int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)];
> > + int_index = FIELD_GET(VEML6075_CONF_IT, conf);
> > + if (int_index >= ARRAY_SIZE(veml6075_it_ms))
> > + return -EINVAL;
> > +
> > + int_time = veml6075_it_ms[int_index];
> > msleep(int_time + (int_time / 2));
> >
> > /* shutdown again, data registers are still accessible */
>
> Reviewed-by: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>