Re: [PATCH] misc: ds1682: fix out-of-bounds access in EEPROM functions

From: Christophe JAILLET
Date: Sat Aug 09 2025 - 15:54:58 EST

Next message: Jonathan Cameron: "Re: [PATCH] iio: light: ltr390: Add remove callback with needed support in device registration"
Previous message: Jonathan Cameron: "Re: [PATCH v2 3/3] iio: adc: update ad7779 to use IIO backend"
In reply to: wajahat iqbal: "[PATCH] misc: ds1682: fix out-of-bounds access in EEPROM functions"
Next in thread: wajahat iqbal: "Re: [PATCH] misc: ds1682: fix out-of-bounds access in EEPROM functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 09/08/2025 à 17:54, wajahat iqbal a écrit :

Found a couple of issues in the ds1682 driver while reviewing the code:

The EEPROM read/write functions don't check if offset and count exceed
the 10-byte EEPROM size, which could lead to out-of-bounds I2C access.

Also replaced sprintf with scnprintf in the sysfs show function for
better safety.

For reads beyond EEPROM size, return 0. For writes, return -EINVAL if
starting beyond bounds, otherwise truncate to fit within the EEPROM.

Signed-off-by: Wajahat Iqbal <wajahatiqbal22@xxxxxxxxx>
---
drivers/misc/ds1682.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/ds1682.c b/drivers/misc/ds1682.c
index cb09e056531a..4cf4b43e5355 100644
--- a/drivers/misc/ds1682.c
+++ b/drivers/misc/ds1682.c
@@ -92,7 +92,7 @@ static ssize_t ds1682_show(struct device *dev,
struct device_attribute *attr,
* Special case: the 32 bit regs are time values with 1/4s
* resolution, scale them up to milliseconds
*/
- return sprintf(buf, "%llu\n", (sattr->nr == 4) ? (val * 250) : val);
+ return scnprintf(buf, PAGE_SIZE, "%llu\n", (sattr->nr == 4) ? (val *
250) : val);
}

static ssize_t ds1682_store(struct device *dev, struct device_attribute *attr,
@@ -163,6 +163,11 @@ static ssize_t ds1682_eeprom_read(struct file
*filp, struct kobject *kobj,
dev_dbg(&client->dev, "ds1682_eeprom_read(p=%p, off=%lli, c=%zi)\n",
buf, off, count);

+ if (off >= DS1682_EEPROM_SIZE)
+ return 0;
+ if (off + count > DS1682_EEPROM_SIZE)
+ count = DS1682_EEPROM_SIZE - off;
+
rc = i2c_smbus_read_i2c_block_data(client, DS1682_REG_EEPROM + off,
count, buf);
if (rc < 0)
@@ -180,6 +185,11 @@ static ssize_t ds1682_eeprom_write(struct file
*filp, struct kobject *kobj,
dev_dbg(&client->dev, "ds1682_eeprom_write(p=%p, off=%lli, c=%zi)\n",
buf, off, count);

+ if (off >= DS1682_EEPROM_SIZE)
+ return -EINVAL;
+ if (off + count > DS1682_EEPROM_SIZE)
+ count = DS1682_EEPROM_SIZE - off;
+
/* Write out to the device */
if (i2c_smbus_write_i2c_block_data(client, DS1682_REG_EEPROM + off,
count, buf) < 0)

Are these new tests really needed?

Isn't it already done the same way by the core, because of the ".size = DS1682_EEPROM_SIZE" in ds1682_eeprom_attr?

I'm' not really familiar with this code, but my understanding is that it goes thru sysfs_kf_bin_write() and sysfs_kf_bin_read().

CJ

Next message: Jonathan Cameron: "Re: [PATCH] iio: light: ltr390: Add remove callback with needed support in device registration"
Previous message: Jonathan Cameron: "Re: [PATCH v2 3/3] iio: adc: update ad7779 to use IIO backend"
In reply to: wajahat iqbal: "[PATCH] misc: ds1682: fix out-of-bounds access in EEPROM functions"
Next in thread: wajahat iqbal: "Re: [PATCH] misc: ds1682: fix out-of-bounds access in EEPROM functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]