On Mon, Nov 07, 2022 at 02:04:25AM +0000, Wei Yongjun wrote: > From: Wei Yongjun <weiyongjun1@xxxxxxxxxx> > > KASAN report out-of-bounds read as follows: > > BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 [afe4404] > Read of size 4 at addr ffffffffc00e4658 by task cat/278 > > CPU: 1 PID: 278 Comm: cat Tainted: G > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > Call Trace: > <TASK> > afe4404_read_raw+0x2ce/0x380 [afe4404] > iio_read_channel_info+0x249/0x2e0 [industrialio] > dev_attr_show+0x4b/0xa0 drivers/base/core.c:2195 > sysfs_kf_seq_show+0x1ec/0x390 fs/sysfs/file.c:59 > seq_read_iter+0x48d/0x10b0 fs/seq_file.c:230 > kernfs_fop_read_iter+0x4e6/0x710 fs/kernfs/file.c:275 > call_read_iter include/linux/fs.h:2153 [inline] > new_sync_read fs/read_write.c:389 [inline] > vfs_read+0x5f2/0x890 fs/read_write.c:470 > ksys_read+0x106/0x220 fs/read_write.c:613 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x38/0xa0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x72/0xdc > RIP: 0033:0x7fe9c5ef6992 > </TASK> Read this https://www.kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages and update your commit message accordingly. > The buggy address belongs to the variable: > afe4404_channel_leds+0x18/0xffffffffffffe9c0 [afe4404] > > This issue can be reproduce by singe command: > > $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw > > The array size of afe4404_channel_leds and afe4404_channel_offdacs > are less than channels, so access with chan->address cause OOB read > in afe4404_[read|write]_raw. Fix it by moving access before use them. -- With Best Regards, Andy Shevchenko
