iio: light: veml6075: add bounds check to veml6075_it_ms index

veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7.
If it returns a value >= 5, this causes an out-of-bounds array access.
Add a bounds check and return -EINVAL if the index is out of range.

The problem values are reserved so should never be read from the
register. Hence this is hardening against fault device, missprogramming
or bus corruption.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>

diff --git a/drivers/iio/light/veml6075.c b/drivers/iio/light/veml6075.c
index edbb4340705435b77a49e4889fe20e58ca12b368..f7eb159e5cb40bed17e290c379905ef634d96e0c 100644 (file)
--- a/drivers/iio/light/veml6075.c
+++ b/drivers/iio/light/veml6075.c
@@ -100,7 +100,7 @@ static const struct iio_chan_spec veml6075_channels[] = {
 
 static int veml6075_request_measurement(struct veml6075_data *data)
 {
-       int ret, conf, int_time;
+       int ret, conf, int_time, int_index;
 
        ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf);
        if (ret < 0)
@@ -117,7 +117,11 @@ static int veml6075_request_measurement(struct veml6075_data *data)
         * time for all possible configurations. Using a 1.50 factor simplifies
         * operations and ensures reliability under all circumstances.
         */
-       int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)];
+       int_index = FIELD_GET(VEML6075_CONF_IT, conf);
+       if (int_index >= ARRAY_SIZE(veml6075_it_ms))
+               return -EINVAL;
+
+       int_time = veml6075_it_ms[int_index];
        msleep(int_time + (int_time / 2));
 
        /* shutdown again, data registers are still accessible */