git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	David Lechner <dlechner@baylibre.com>
	Thu, 10 Jul 2025 02:20:00 +0000 (21:20 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 28 Aug 2025 14:26:06 +0000 (16:26 +0200)
commit	a0691ab6334f1769acc64ea9e319414a682ff45d
tree	41558666b694769bb5a9b91cf77768827503dfad	tree \| snapshot
parent	8a6a27bc2d5d9582d111e8663928227ce274d4d3	commit \| diff

iio: imu: bno055: fix OOB access of hw_xlate array

commit 399b883ec828e436f1a721bf8551b4da8727e65b upstream.

Fix a potential out-of-bounds array access of the hw_xlate array in
bno055.c.

In bno055_get_regmask(), hw_xlate was iterated over the length of the
vals array instead of the length of the hw_xlate array. In the case of
bno055_gyr_scale, the vals array is larger than the hw_xlate array,
so this could result in an out-of-bounds access. In practice, this
shouldn't happen though because a match should always be found which
breaks out of the for loop before it iterates beyond the end of the
hw_xlate array.

By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be
sure we are iterating over the correct length.

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202507100510.rGt1YOOx-lkp@intel.com/
Fixes: 4aefe1c2bd0c ("iio: imu: add Bosch Sensortec BNO055 core driver")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250709-iio-const-data-19-v2-1-fb3fc9191251@baylibre.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>