Loading
iio: health: afe4403: Fix oob read in afe4403_read_raw
mainline inclusion from mainline-v6.1-rc7 commit 58143c1e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYRDV CVE: CVE-2022-49031 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58143c1ed5882c138a3cd2251a336fc8755f23d9 -------------------------------- KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279 Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0 This issue can be reproduced by singe command: $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw The array size of afe4403_channel_leds is less than channels, so access with chan->address cause OOB read in afe4403_read_raw. Fix it by moving access before use it. Fixes: b36e8257 ("iio: health/afe440x: Use regmap fields") Signed-off-by:Wei Yongjun <weiyongjun1@huawei.com> Acked-by: