[lvc-project] [PATCH v2] iio: imu: bmi323: Fix potential out-of-bounds access of bmi323_hw[]
Andy Shevchenko
andriy.shevchenko at intel.com
Mon May 4 14:23:04 MSK 2026
On Mon, May 04, 2026 at 02:19:46PM +0300, gerben at altlinux.org wrote:
> The bmi323_channels[] array defines a channel with chan->type =
> IIO_TEMP and enables the IIO_CHAN_INFO_SCALE mask. As a result,
> bmi323_write_raw() may be called for this channel. However,
> bmi323_iio_to_sensor() returns -EINVAL for IIO_TEMP, and if this
> value is not validated, it can lead to an out-of-bounds access
> when used as an array index.
>
> A similar case is properly handled in bmi323_read_raw() and does
> not result in an error.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
...
> case IIO_CHAN_INFO_SAMP_FREQ:
> + ret = bmi323_iio_to_sensor(chan->type);
> + if (ret < 0)
> + return ret;
> +
> if (!iio_device_claim_direct(indio_dev))
> return -EBUSY;
> - ret = bmi323_set_odr(data, bmi323_iio_to_sensor(chan->type),
> - val, val2);
> + ret = bmi323_set_odr(data, ret, val, val2);
ret = foo(ret) is a bad style.
> iio_device_release_direct(indio_dev);
> return ret;
--
With Best Regards,
Andy Shevchenko
More information about the lvc-project
mailing list