comedi: aio_iiro_16: Fix bit shift out of bounds

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When checking for a supported IRQ number, the following test is used:

if ((1 << it->options[1]) & 0xdcfc) {

However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test. Valid `it->options[1]` values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.

Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection")
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707134622.75403-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Ian Abbott and committed by

Greg Kroah-Hartman 9 months ago 66acb158 b14b076c

+2 -1

1 changed file

expand all

drivers

comedi

drivers

aio_iiro_16.c

+2 -1

drivers/comedi/drivers/aio_iiro_16.c

··· 177 177 * Digital input change of state interrupts are optionally supported 178 178 * using IRQ 2-7, 10-12, 14, or 15. 179 179 */ 180 - if ((1 << it->options[1]) & 0xdcfc) { 180 + if (it->options[1] > 0 && it->options[1] < 16 && 181 + (1 << it->options[1]) & 0xdcfc) { 181 182 ret = request_irq(it->options[1], aio_iiro_16_cos, 0, 182 183 dev->board_name, dev); 183 184 if (ret == 0)