Commit 78a7cbd8 authored Jan 06, 2025 by Nuno Sa Committed by Yi Yang Jan 06, 2025

iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer

stable inclusion
from stable-v6.6.64
commit e5cac32721997cb8bcb208a29f4598b3faf46338
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAMO
CVE: CVE-2024-56557

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e5cac32721997cb8bcb208a29f4598b3faf46338



--------------------------------

commit 3a4187ec454e19903fd15f6e1825a4b84e59a4cd upstream.

The AD7923 was updated to support devices with 8 channels, but the size
of tx_buf and ring_xfer was not increased accordingly, leading to a
potential buffer overflow in ad7923_update_scan_mode().

Fixes: 851644a6 ("iio: adc: ad7923: Add support for the ad7908/ad7918/ad7928")
Cc: stable@vger.kernel.org
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
Link: https://patch.msgid.link/20241029134637.2261336-1-quzicheng@huawei.com


Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yi Yang <yiyang13@huawei.com>

parent 1cbb44cd

drivers/iio/adc/ad7923.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -48,7 +48,7 @@

		struct ad7923_state {
		struct spi_device *spi;
		struct spi_transfer ring_xfer[5];
		struct spi_transfer ring_xfer[9];
		struct spi_transfer scan_single_xfer[2];
		struct spi_message ring_msg;
		struct spi_message scan_single_msg;
		@@ -64,7 +64,7 @@ struct ad7923_state {
		* Length = 8 channels + 4 extra for 8 byte timestamp
		*/
		__be16 rx_buf[12] __aligned(IIO_DMA_MINALIGN);
		__be16 tx_buf[4];
		__be16 tx_buf[8];
		};

		struct ad7923_chip_info {