On Mon, Nov 07, 2022 at 02:04:13AM +0000, Wei Yongjun wrote: > From: Wei Yongjun <weiyongjun1@xxxxxxxxxx> > > KASAN report out-of-bounds read as follows: > > BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 [afe4403] > Read of size 4 at addr ffffffffc02ac638 by task cat/279 > > CPU: 2 PID: 279 Comm: cat Tainted: G N > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > Call Trace: > <TASK> > afe4403_read_raw+0x42e/0x4c0 [afe4403 141d77410f5466ef049ee2376f5136b77a168de0] > iio_read_channel_info+0x249/0x2e0 [industrialio d0627df60a92bbb9630e68c3e2f98d20dac889ef] > dev_attr_show+0x4b/0xa0 drivers/base/core.c:2195 > sysfs_kf_seq_show+0x1ec/0x390 fs/sysfs/file.c:59 > seq_read_iter+0x48d/0x10b0 fs/seq_file.c:230 > kernfs_fop_read_iter+0x4e6/0x710 fs/kernfs/file.c:275 > call_read_iter include/linux/fs.h:2153 [inline] > new_sync_read fs/read_write.c:389 [inline] > vfs_read+0x5f2/0x890 fs/read_write.c:470 > ksys_read+0x106/0x220 fs/read_write.c:613 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x38/0xa0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x72/0xdc > RIP: 0033:0x7fd8611cf992 > </TASK> Read this https://www.kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages and update the commit message accordingly. > The buggy address belongs to the variable: > afe4403_channel_leds+0x18/0xffffffffffffe9e0 [afe4403] > > This issue can be reproduced by singe command: > > $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw > > The array size of afe4403_channel_leds is less than channels, so access > with chan->address cause OOB read in afe4403_read_raw. Fix it by moving > access before use it. -- With Best Regards, Andy Shevchenko
