iio: Fix the allocation size for cros_ec_command

Message ID	20230629132405.1237292-1-yguoaz@gmail.com (mailing list archive)
State	New, archived
Headers	show Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94FD311190 for <chrome-platform@lists.linux.dev>; Thu, 29 Jun 2023 13:25:26 +0000 (UTC) From: Yiyuan Guo <yguoaz@gmail.com> To: jic23@kernel.org, lars@metafoo.de, bleung@chromium.org, groeck@chromium.org Cc: dianders@chromium.org, mazziesaccount@gmail.com, gwendal@chromium.org, linux-iio@vger.kernel.org, chrome-platform@lists.linux.dev, yguoaz@gmail.com Subject: [PATCH] iio: Fix the allocation size for cros_ec_command Date: Thu, 29 Jun 2023 21:24:05 +0800 Message-Id: <20230629132405.1237292-1-yguoaz@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	iio: Fix the allocation size for cros_ec_command \| expand iio: Fix the allocation size for cros_ec_command

Message ID

20230629132405.1237292-1-yguoaz@gmail.com (mailing list archive)

State

New, archived

Headers

From: Yiyuan Guo <yguoaz@gmail.com>
To: jic23@kernel.org,
	lars@metafoo.de,
	bleung@chromium.org,
	groeck@chromium.org
Cc: dianders@chromium.org,
	mazziesaccount@gmail.com,
	gwendal@chromium.org,
	linux-iio@vger.kernel.org,
	chrome-platform@lists.linux.dev,
	yguoaz@gmail.com
Subject: [PATCH] iio: Fix the allocation size for cros_ec_command
Date: Thu, 29 Jun 2023 21:24:05 +0800
Message-Id: <20230629132405.1237292-1-yguoaz@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

iio: Fix the allocation size for cros_ec_command | expand

Commit Message

yguoaz June 29, 2023, 1:24 p.m. UTC

The struct cros_ec_command contains several integer fields and a
trailing array. An allocation size neglecting the integer fields can
lead to buffer overrun.

Signed-off-by: Yiyuan Guo <yguoaz@gmail.com>
---
 drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Tzung-Bi Shih June 30, 2023, 5:13 a.m. UTC | #1

On Thu, Jun 29, 2023 at 09:24:05PM +0800, Yiyuan Guo wrote:
> The struct cros_ec_command contains several integer fields and a
> trailing array. An allocation size neglecting the integer fields can
> lead to buffer overrun.
> 
> Signed-off-by: Yiyuan Guo <yguoaz@gmail.com>

Better prefix the commit title with "iio: cros_ec:".

With that:
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>

diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c
index 943e9e14d1e9..e4c01f1072bd 100644
--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c
+++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c
@@ -253,8 +253,8 @@  int cros_ec_sensors_core_init(struct platform_device *pdev,
 	platform_set_drvdata(pdev, indio_dev);
 
 	state->ec = ec->ec_dev;
-	state->msg = devm_kzalloc(&pdev->dev,
-				max((u16)sizeof(struct ec_params_motion_sense),
+	state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) +
+			max((u16)sizeof(struct ec_params_motion_sense),
 				state->ec->max_response), GFP_KERNEL);
 	if (!state->msg)
 		return -ENOMEM;

iio: Fix the allocation size for cros_ec_command

Commit Message

Comments

Patch