From nobody Wed Apr 15 16:42:59 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E746226863 for ; Wed, 4 Mar 2026 07:08:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772608121; cv=none; b=l/CKB32vzvMvzUVeIJpW7vIqTN0gxLpm2EA8fFtrXJJmJdA7FKPE1u/nJOk6wjz6YMmp+KcR6eos0al4km7hTv//o+MNveeQb2cvAltjYqez5tLaSPSh4fLAD8BarOK1WOHlUA8jgdBw5ssHNagH78ErXkuyjH/w1j1D0a456wI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772608121; c=relaxed/simple; bh=2D7OmnZNznfr12HRuVWR6Mw7dZPUCmEaw/CtC/IUQUI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=E10H3doVGWsXpGGsHosE1Lu75pkZJx/lS4zu+MffjUYB/SBpfExeSVcGwRxqZUwj4q+loWdEktHiXn0CMVRGkEmT23mR9fV1P079pgzckgEZ5ZeWtH6uHdXN4nJx3KVoNA3gonr8ZxC7IY2UiTnrI9nuwJTydagn2Tc8R4qp6/I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=T1tyj4T8; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="T1tyj4T8" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2bded9bf7a7so4764267eec.1 for ; Tue, 03 Mar 2026 23:08:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772608119; x=1773212919; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s8nGnzPrNPl6mGWCEnP6l5wCtiMPY7eXNdUImo32HCY=; b=T1tyj4T8hQn2u90OpmQNEH/2pW5Qvgqzu1vIOrB0hNqT5B7No/M19Ma+oL8YaIaFf/ 23OWDOg+zfu8GOXnoK3V9tFX/wRhy6GYCOQbBykdjgi3mbjxMm/yHzYe08x4Fh7I+hLT wl3x+rrffbBOch7rMFE/ZXW9mMMVrcCI7OJu7yeqCtBksmA8++EKVIBQr3hujZoJnttV 1Bb1ViodrdPobZmM0c1tFT9cJjOOHvj+WcqW9Yu8ZigztqOMXTJsflQYQ+h8G68tshjX a8HDoIanw/Kwuct06EPRdwkBcoDyVYPSrwpt7GTnXZ0BP2ghQUrrPSJmdB7ZLhLDvVCY rfNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772608119; x=1773212919; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=s8nGnzPrNPl6mGWCEnP6l5wCtiMPY7eXNdUImo32HCY=; b=JIFavKfHKyreyzZBe4gEfVHDJ/oz7vg+9EdIepM6ZETbity6bxe/JNkFTJc/cBX2QX OUMVWOA+002CZiPrkZFdil00xhl0C6gL7Q/A/KM8XpyrvDe6L+etUCB6S2QF5CjdOFOJ QgwxnyETLZZk0W1jbg40ih61lqhoVdz0I7E1IyQs6K+irCAnE79OlQqWJZus/zninZxN KcUI9PMWpIlmUz0r3Dw2t2FSNxYzGfteW52eHNhjni7ORcyn7wt2Hce+TLYJaMk0oubC 5dtBWPw+5WGIZrKx01sekn9pdjVKt3FAXMgwFqthvrS8h1Sy0itlelryIIm0OTRHC8wZ cIOw== X-Forwarded-Encrypted: i=1; AJvYcCWUKG21F4EyfQihYw8MYpUhuo0Icr1ggxaK38LQTxg83s3dC00+EqZgWP2Jxt3eWU/AKPfQUDXKpiH9lJU=@vger.kernel.org X-Gm-Message-State: AOJu0Ywcbr6pExk6fQYXcWMGhpIZxYECmpqmtPZxcHzHGS245YWOJdli NQQNxZxnztSu3GtZbctoM7AtcPbv3DrwS/TUw4c0Lt10X1SWe+cZyJas X-Gm-Gg: ATEYQzwuF7o+lKmRwjyL6wTpeZKjsA4LbDhO8uKNf0WjL6uEXGmyZpG3+gZs+fcBK4g 7T112Smb4MQDOs3I7DfzX2V9u6ebE6Flj5Tj62nG6PlqPaAYzJfBei0lp1/yxpaa38caPmOXJJi CQysf7S7HzcpONGiMYU0bG8xlGm7ISK1zllw7Ypvz1fy+uSeONaF7cJH4ST2sPTTD4jObHvOUg/ qo+Hwfbb6QI/WRIdRxFaQijeTUWg2SnW9rUHJM0+ijLkwXtbXkcOSyFLlfqFB0iWIiAck+WwJ48 8Ukg70BzFxe5bXlbSep18aBrFjaRRlr65X1GYlGd7TBQP2q34IhSET6Ne62R+776Has5w6Vo2YE QjZal4Td7WTCagojrbkp0LaYShZOc0l5oKXyqwTSrrBpNDORvjcVXcfv1B2/v6zTGGsM16ikmCr lW59KGyzWHmXw2haG6XJqQHWPolxwLYA7MzkWeyC23X6ze4NDy8VQ5poBRnxnltsjRlB8DhN5l+ KJfT7X6OTM= X-Received: by 2002:a05:7301:2f88:b0:2be:778:49aa with SMTP id 5a478bee46e88-2be3108f8d4mr323361eec.27.1772608118477; Tue, 03 Mar 2026 23:08:38 -0800 (PST) Received: from localhost.localdomain (c-67-164-93-214.hsd1.ca.comcast.net. [67.164.93.214]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2be2f5f1f4dsm831673eec.25.2026.03.03.23.08.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Mar 2026 23:08:37 -0800 (PST) From: Sanman Pradhan X-Google-Original-From: Sanman Pradhan To: Guenter Roeck Cc: linux-hwmon@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, andriy.shevchenko@intel.com, Sanman Pradhan Subject: [PATCH v2] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Date: Tue, 3 Mar 2026 23:06:08 -0800 Message-Id: <20260304070607.1942-1-psanman@juniper.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call. Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ1= 08A2") Cc: stable@vger.kernel.org Signed-off-by: Sanman Pradhan --- v2: - Fixed email formatting/line-wrapping issues --- drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/hwmon/pmbus/q54sj108a2.c b/drivers/hwmon/pmbus/q54sj10= 8a2.c index fc030ca34480..d5d60a9af8c5 100644 --- a/drivers/hwmon/pmbus/q54sj108a2.c +++ b/drivers/hwmon/pmbus/q54sj108a2.c @@ -79,7 +79,8 @@ static ssize_t q54sj108a2_debugfs_read(struct file *file,= char __user *buf, int idx =3D *idxp; struct q54sj108a2_data *psu =3D to_psu(idxp, idx); char data[I2C_SMBUS_BLOCK_MAX + 2] =3D { 0 }; - char data_char[I2C_SMBUS_BLOCK_MAX + 2] =3D { 0 }; + char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] =3D { 0 }; + char *out =3D data; char *res; =20 switch (idx) { @@ -150,27 +151,27 @@ static ssize_t q54sj108a2_debugfs_read(struct file *f= ile, char __user *buf, if (rc < 0) return rc; =20 - res =3D bin2hex(data, data_char, 32); - rc =3D res - data; - + res =3D bin2hex(data_char, data, rc); + rc =3D res - data_char; + out =3D data_char; break; case Q54SJ108A2_DEBUGFS_FLASH_KEY: rc =3D i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, dat= a); if (rc < 0) return rc; =20 - res =3D bin2hex(data, data_char, 4); - rc =3D res - data; - + res =3D bin2hex(data_char, data, rc); + rc =3D res - data_char; + out =3D data_char; break; default: return -EINVAL; } =20 - data[rc] =3D '\n'; + out[rc] =3D '\n'; rc +=3D 2; =20 - return simple_read_from_buffer(buf, count, ppos, data, rc); + return simple_read_from_buffer(buf, count, ppos, out, rc); } =20 static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __us= er *buf, --=20 2.34.1