tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read

The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
due to incorrect arguments passed to bin2hex(). The function currently
passes 'data' as the destination and 'data_char' as the source.

Because bin2hex() converts each input byte into two hex characters, a
32-byte block read results in 64 bytes of output. Since 'data' is only
34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
of the buffer onto the stack.

Additionally, the arguments were swapped: it was reading from the
zero-initialized 'data_char' and writing to 'data', resulting in
all-zero output regardless of the actual I2C read.

Fix this by:
1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
2. Correcting the bin2hex() argument order and using the actual read count.
3. Using a pointer to select the correct output buffer for the final
simple_read_from_buffer call.

Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2")
Cc: stable@vger.kernel.org
Signed-off-by: Sanman Pradhan <psanman@juniper.net>
Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>

authored by

Sanman Pradhan and committed by
Guenter Roeck 25dd70a0 170a4b21

+10 -9
+10 -9
drivers/hwmon/pmbus/q54sj108a2.c
··· 79 79 int idx = *idxp; 80 80 struct q54sj108a2_data *psu = to_psu(idxp, idx); 81 81 char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; 82 - char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; 82 + char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 }; 83 + char *out = data; 83 84 char *res; 84 85 85 86 switch (idx) { ··· 151 150 if (rc < 0) 152 151 return rc; 153 152 154 - res = bin2hex(data, data_char, 32); 155 - rc = res - data; 156 - 153 + res = bin2hex(data_char, data, rc); 154 + rc = res - data_char; 155 + out = data_char; 157 156 break; 158 157 case Q54SJ108A2_DEBUGFS_FLASH_KEY: 159 158 rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data); 160 159 if (rc < 0) 161 160 return rc; 162 161 163 - res = bin2hex(data, data_char, 4); 164 - rc = res - data; 165 - 162 + res = bin2hex(data_char, data, rc); 163 + rc = res - data_char; 164 + out = data_char; 166 165 break; 167 166 default: 168 167 return -EINVAL; 169 168 } 170 169 171 - data[rc] = '\n'; 170 + out[rc] = '\n'; 172 171 rc += 2; 173 172 174 - return simple_read_from_buffer(buf, count, ppos, data, rc); 173 + return simple_read_from_buffer(buf, count, ppos, out, rc); 175 174 } 176 175 177 176 static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf,