From: Anton Vasilyev <vasilyev@ispras.ru>
Date: Thu, 10 Aug 2017 16:46:32 +0000 (+0300)
Subject: hwmon: (stts751) buffer overrun on wrong chip configuration
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3be6bd690da0dafa55eb65279fb25297fcfe19d5;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git

hwmon: (stts751) buffer overrun on wrong chip configuration

If stts751 hw by some reason reports conversion rate bigger then 9:
        ret = i2c_smbus_read_byte_data(priv->client, STTS751_REG_RATE);
then dereferencing stts751_intervals[priv->interval] leads to buffer
overrun.

The patch adds sanity check for value stored on chip.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 7f07ec0fa17a ("hwmon: new driver for ST stts751 thermal sensor")
Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---

diff --git a/drivers/hwmon/stts751.c b/drivers/hwmon/stts751.c
index d56251d6eec2..3f940fb67dc6 100644
--- a/drivers/hwmon/stts751.c
+++ b/drivers/hwmon/stts751.c
@@ -718,6 +718,10 @@ static int stts751_read_chip_config(struct stts751_priv *priv)
 	ret = i2c_smbus_read_byte_data(priv->client, STTS751_REG_RATE);
 	if (ret < 0)
 		return ret;
+	if (ret >= ARRAY_SIZE(stts751_intervals)) {
+		dev_err(priv->dev, "Unrecognized conversion rate 0x%x\n", ret);
+		return -ENODEV;
+	}
 	priv->interval = ret;
 
 	ret = stts751_read_reg16(priv, &priv->event_max,