| Message ID | 3d98589455726e812cf2ad2610f7351ee2b93b07.1714371936.git.mazziesaccount@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Fix the iio-gts-helpers available times table sorting | expand |
On 4/29/24 09:29, Chenyuan Yang wrote: > The sorting in iio_gts_build_avail_time_table is not working as intended. > It could result in an out-of-bounds access when the time is zero. > > Here are more details: > > 1. When the gts->itime_table[i].time_us is zero, e.g., the time > sequence is `3, 0, 1`, the inner for-loop will not terminate and do > out-of-bound writes. This is because once `times[j] > new`, the value > `new` will be added in the current position and the `times[j]` will be > moved to `j+1` position, which makes the if-condition always hold. > Meanwhile, idx will be added one, making the loop keep running without > termination and out-of-bound write. > 2. If none of the gts->itime_table[i].time_us is zero, the elements > will just be copied without being sorted as described in the comment > "Sort times from all tables to one and remove duplicates". > > For more details, please refer to > https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com. > > Reported-by: Chenyuan Yang <chenyuan0y@gmail.com> > Suggested-by: Matti Vaittinen <mazziesaccount@gmail.com> > Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") > Co-developed-by: Chenyuan Yang <chenyuan0y@gmail.com> > Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com> > Co-developed-by: Matti Vaittinen <mazziesaccount@gmail.com> > Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> Huh. I had never before sent a patch with co-authored tags. Just to ensure there is no misunderstandings - I did send this patch mail. I added the From: tag as was suggested in: https://www.kernel.org/doc/html/latest/process/submitting-patches.html I am afraid mutt picked the email sender from this tag - which does not fee like correct thing to do! Sorry! I did not intend to impersonate Chenyuan! Yours, -- Matti
diff --git a/drivers/iio/industrialio-gts-helper.c b/drivers/iio/industrialio-gts-helper.c index b51eb6cb766f..59d7615c0f56 100644 --- a/drivers/iio/industrialio-gts-helper.c +++ b/drivers/iio/industrialio-gts-helper.c @@ -362,17 +362,20 @@ static int iio_gts_build_avail_time_table(struct iio_gts *gts) for (i = gts->num_itime - 1; i >= 0; i--) { int new = gts->itime_table[i].time_us; - if (times[idx] < new) { + if (idx == 0 || times[idx - 1] < new) { times[idx++] = new; continue; } - for (j = 0; j <= idx; j++) { + for (j = 0; j < idx; j++) { + if (times[j] == new) + break; if (times[j] > new) { memmove(×[j + 1], ×[j], (idx - j) * sizeof(int)); times[j] = new; idx++; + break; } } }
The sorting in iio_gts_build_avail_time_table is not working as intended. It could result in an out-of-bounds access when the time is zero. Here are more details: 1. When the gts->itime_table[i].time_us is zero, e.g., the time sequence is `3, 0, 1`, the inner for-loop will not terminate and do out-of-bound writes. This is because once `times[j] > new`, the value `new` will be added in the current position and the `times[j]` will be moved to `j+1` position, which makes the if-condition always hold. Meanwhile, idx will be added one, making the loop keep running without termination and out-of-bound write. 2. If none of the gts->itime_table[i].time_us is zero, the elements will just be copied without being sorted as described in the comment "Sort times from all tables to one and remove duplicates". For more details, please refer to https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com. Reported-by: Chenyuan Yang <chenyuan0y@gmail.com> Suggested-by: Matti Vaittinen <mazziesaccount@gmail.com> Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") Co-developed-by: Chenyuan Yang <chenyuan0y@gmail.com> Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com> Co-developed-by: Matti Vaittinen <mazziesaccount@gmail.com> Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> --- Original commit (by Chenyuan Yang) was amended by me to remove duplicates so that the user-space callers do not get multiple instances of same time as was discussed here: https://lore.kernel.org/all/a59061f8-5caa-43d4-bd4f-5ac4c39515ba@gmail.com/ --- drivers/iio/industrialio-gts-helper.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)