iio: adc: ad7124: fix possible OOB array access

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Reorder the channel bounds check before using it to index into the
channels array in ad7124_release_config_slot(). This prevents reading
past the end of the array.

The value read from invalid memory was not used, so this was mostly
harmless, but we still should not be reading out of bounds in the first
place.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-iio/aPi6V-hcaKReSNWK@stanley.mountain/
Fixes: 9065197e0d41 ("iio: adc: ad7124: change setup reg allocation strategy")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

authored by

David Lechner and committed by

Jonathan Cameron 5 months ago 97289f6a c6763b15

+9 -4

1 changed file

expand all

drivers

iio

adc

ad7124.c

+9 -4

drivers/iio/adc/ad7124.c

··· 586 586 587 587 static void ad7124_release_config_slot(struct ad7124_state *st, u8 channel) 588 588 { 589 - unsigned int slot = st->channels[channel].cfg.cfg_slot; 589 + unsigned int slot; 590 590 591 591 /* 592 - * All of these conditions can happen at probe when all channels are 593 - * disabled. Otherwise, they should not happen normally. 592 + * All of these early return conditions can happen at probe when all 593 + * channels are disabled. Otherwise, they should not happen normally. 594 594 */ 595 - if (channel >= st->num_channels || slot == AD7124_CFG_SLOT_UNASSIGNED || 595 + if (channel >= st->num_channels) 596 + return; 597 + 598 + slot = st->channels[channel].cfg.cfg_slot; 599 + 600 + if (slot == AD7124_CFG_SLOT_UNASSIGNED || 596 601 st->cfg_slot_use_count[slot] == 0) 597 602 return; 598 603