diff options
| author |   Abdurrahman Hussain <abdurrahman@nexthop.ai> | 2026-05-15 15:11:51 -0700 |
|---|---|---|
| committer |   Guenter Roeck <linux@roeck-us.net> | 2026-05-21 06:58:47 -0700 |
| commit | 43cae21424ff8e33894a0f86c6b80b840c049fd7 (patch) | |
| tree | 9c2eedebd0125d879a874bc840fafdc2c4745cbc /include/linux/bcma/ssh:/git@git.zx2c4.com | |
| parent | hwmon: (pmbus/adm1266) include adapter number in GPIO line label (diff) | |
hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
adm1266_pmbus_block_xfer() copies the device-supplied block payload
into the caller-provided buffer using the device-supplied length:
memcpy(data_r, &msgs[1].buf[1], msgs[1].buf[0]);
The helper does not know how large data_r is and trusts the device to
return at most one record's worth of bytes. adm1266_nvmem_read_blackbox()
violates that contract: it advances read_buff inside data->dev_mem in
ADM1266_BLACKBOX_SIZE (64-byte) strides while the helper is willing to
write up to ADM1266_PMBUS_BLOCK_MAX (255) bytes. A device that returns
more than 64 bytes on the trailing record (read_buff offset 1984 in
the 2048-byte dev_mem allocation) overflows dev_mem by up to 191 bytes
before the post-call
if (ret != ADM1266_BLACKBOX_SIZE)
return -EIO;
can reject the response.
Contain the fix in the caller without changing the helper signature:
read each record into a 255-byte local bounce buffer that matches the
helper's maximum output, validate the returned length, and only then
copy exactly ADM1266_BLACKBOX_SIZE bytes into the dev_mem slot.
Fixes: 407dc802a9c0 ("hwmon: (pmbus/adm1266) Add Block process call")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-5-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Diffstat (limited to 'include/linux/bcma/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions