git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Abdurrahman Hussain <abdurrahman@nexthop.ai>
	Fri, 15 May 2026 22:11:51 +0000 (15:11 -0700)
committer	Guenter Roeck <linux@roeck-us.net>
	Thu, 21 May 2026 13:58:47 +0000 (06:58 -0700)
commit	43cae21424ff8e33894a0f86c6b80b840c049fd7
tree	9c2eedebd0125d879a874bc840fafdc2c4745cbc	tree \| snapshot
parent	b0ddda571d15528e6caee7090beff4a66dfdb1a2	commit \| diff

hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer

adm1266_pmbus_block_xfer() copies the device-supplied block payload
into the caller-provided buffer using the device-supplied length:

memcpy(data_r, &msgs[1].buf[1], msgs[1].buf[0]);

The helper does not know how large data_r is and trusts the device to
return at most one record's worth of bytes. adm1266_nvmem_read_blackbox()
violates that contract: it advances read_buff inside data->dev_mem in
ADM1266_BLACKBOX_SIZE (64-byte) strides while the helper is willing to
write up to ADM1266_PMBUS_BLOCK_MAX (255) bytes. A device that returns
more than 64 bytes on the trailing record (read_buff offset 1984 in
the 2048-byte dev_mem allocation) overflows dev_mem by up to 191 bytes
before the post-call

if (ret != ADM1266_BLACKBOX_SIZE)
return -EIO;

can reject the response.

Contain the fix in the caller without changing the helper signature:
read each record into a 255-byte local bounce buffer that matches the
helper's maximum output, validate the returned length, and only then
copy exactly ADM1266_BLACKBOX_SIZE bytes into the dev_mem slot.

Fixes: 407dc802a9c0 ("hwmon: (pmbus/adm1266) Add Block process call")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260515-adm1266-fixes-v1-5-1c1ea1349cfe@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>