iio: adc: ti-ads1298: add bounds check to pga_settings index

ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
values 0-7. If it yields a value >= 7, this causes an out-of-bounds
array access. Add a bounds check and return -EINVAL if the index
is out of range.

Note that the remaining value b111 is reserved so should not be seen
in a correctly functioning system.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>

diff --git a/drivers/iio/adc/ti-ads1298.c b/drivers/iio/adc/ti-ads1298.c
index ae30b47e451426539b1b0afc4d92b30ed754b7b9..731792f06993a4d33d8a08ddd6ac31b2d1e54fb7 100644 (file)
--- a/drivers/iio/adc/ti-ads1298.c
+++ b/drivers/iio/adc/ti-ads1298.c
@@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] = { 6, 1, 2, 3, 4, 8, 12 };
 static int ads1298_get_scale(struct ads1298_private *priv,
                             int channel, int *val, int *val2)
 {
+       unsigned int pga_idx;
        int ret;
        unsigned int regval;
        u8 gain;
@@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1298_private *priv,
        if (ret)
                return ret;
 
-       gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)];
+       pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval);
+       if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings))
+               return -EINVAL;
+
+       gain = ads1298_pga_settings[pga_idx];
        *val /= gain; /* Full scale is VREF / gain */
 
        *val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */