diff options
| author |   Abdurrahman Hussain <abdurrahman@nexthop.ai> | 2026-05-15 15:11:49 -0700 |
|---|---|---|
| committer |   Guenter Roeck <linux@roeck-us.net> | 2026-05-21 06:56:16 -0700 |
| commit | 4afca954622d672ea65ed961bed01cf91caa034e (patch) | |
| tree | 145d075c72d286153c0a347046ec93e398737f32 /include/linux/bcma/ssh:/git@git.zx2c4.com | |
| parent | hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX (diff) | |
hwmon: (pmbus/adm1266) reject implausible blackbox record_count
adm1266_nvmem_read_blackbox() loops over a record_count that comes
straight from byte 3 of the BLACKBOX_INFO response. The destination
buffer is data->dev_mem, sized for the nvmem cell's declared 2048
bytes (ADM1266_BLACKBOX_MAX_RECORDS * ADM1266_BLACKBOX_SIZE = 32 * 64).
A device that reports a record_count greater than 32 -- whether due
to firmware bugs, bus corruption, or a non-responsive slave returning
0xff -- would walk read_buff past the end of the dev_mem allocation
on the trailing iterations.
Cap record_count at ADM1266_BLACKBOX_MAX_RECORDS (introduced here)
before entering the loop and return -EIO on any larger value, so a
malformed BLACKBOX_INFO response cannot drive the loop out of bounds.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-3-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Diffstat (limited to 'include/linux/bcma/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions