From nobody Thu Apr 9 23:25:15 2026 Received: from mail-dy1-f169.google.com (mail-dy1-f169.google.com [74.125.82.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D50534B437 for ; Wed, 4 Mar 2026 23:54:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772668474; cv=none; b=JEJ6qrijQSGGEdqn0zid8fJV7n1A3Cr8uAiODlmLNbhRm29IeYRygxjxdflwSiVoW3Lp3lsLA5Vvu1X2DqtvEZS1GvRpE/vs9UCGxkPFyPUdcuHsPeMV5JDjV5dmUqHfAt4xGx30tpj6NLKMxr6YT6k/dUq4zChANEpYjnHabkE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772668474; c=relaxed/simple; bh=1ryANju3Ar4X9WTQ8vLKNNPSH0DRzpHGinxvGeEFaac=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=idSMy6o5xdjx8EvTikr7h8+dZ0FCt8S7dzl6SO3S8FfgfiBmUW9iQfxwFFyvDcWUcfp1IlotUEnCRZcG7xCOYnmrweGznHoDK6ZBihWenCVVvM2kfGA4G9MSElRVblVkTK1mAThvXozVpTJws+9SRu5jiCftAuwXHPX6dxauURc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=k0z/7OPT; arc=none smtp.client-ip=74.125.82.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="k0z/7OPT" Received: by mail-dy1-f169.google.com with SMTP id 5a478bee46e88-2bdd40d3c61so6162218eec.1 for ; Wed, 04 Mar 2026 15:54:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772668471; x=1773273271; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WpK5v0erAcEOSlwebTzYjsOHzTGHJQo4jlwH6VYDLJw=; b=k0z/7OPTF3OE9a5QviAT3O0lttW8MP+NJaHCt7uI0F84qPuw660VdkJKSaRcTjurJy 6mOVMLwRcD6we6InSsCwJ2g7ZLuGI/oZ+1YxLVLQygfyEwmGBw4hG1rOwwM0agg8UE+v kWklKrz0JfiM8fzgG7o+humkdU+KcKbygfEowmtTN8bBKJ7/jtqooJt086CdYqRbsoYC x1uqb0oN33eyoVz/ZoeUbMN1YvjYWz2N3SKuszpYJYI3wR7kGzeqoPbAFPehvUqo2RA2 nuMmufjFgXM6WtK5my9/5Q0xUtz8z9pGGdQHRRH/JSHJsAZyKQyO2IPizNiwAY8WnFDg L8Pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772668471; x=1773273271; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WpK5v0erAcEOSlwebTzYjsOHzTGHJQo4jlwH6VYDLJw=; b=kk9vyQjXdnYlP6YfNQ4nrLuBVgRFQOjabV3UMP98wtnzhoLQRRT1vRRarTJ77j6HoH xL9qb5s3yLZU0FkOYrZLWzs4SOnNRXNK4zUOEmtwEz6nESplWpNO3KAkcj/kzFaDx8Vp X/tOlBrPfIMyae6Dm5ZnEuPdKsZPlp4nvtDJrCgFBXPZY5lNY9bLJWafSkWNBKZD7Bcf 6gMvt3jUBEJu8LkNJVybYbtAnHn6HRIWtkpgI/aJXGkT1j/E7wyQ2OQgMoH3Y6TANsix yxpzb0EJNiSCvDnV64WRvwxTDtxDnAOiQwlOw2lGWVzwrJgkZI3HSsiBfgPPs5bAiZvb VW5Q== X-Forwarded-Encrypted: i=1; AJvYcCUjaqPjPxbndH9RguHr3xzyJPjM0Q+OHlSSld1CELXP81wAa/zxk+pD4qi6dK8+oVuAK4JUIlwMYoeoVDY=@vger.kernel.org X-Gm-Message-State: AOJu0Yy3MXoR4ZW4IGyBhneX84auExtonh7F+EQhrPxPPielNzR7379i 27+yHU/oaj9EHvmjIEInERmg1rOwOipoLn+plLui+nWKuTNj31dEgTK42zC01QUOsz0= X-Gm-Gg: ATEYQzy3hxM9BdhrLMOf1YXQnfSgGqD+FbshhzLh0it5Q3ZgQaUXMgDoj8ooeV55Tkk eeAe0uCVQHN0Rf2WGlKxYvbseqNXv2VJKezuzO1rGCN0yzOOuiMWNGjCcUZEDsoeyGCF7lor8Us cYc4KghqII8WpDJrIK+sdIUI5WW/OSG0nvySllBoKrhb3+0bztoh8EbL3/nuTslI04PAeqGs+Pp Yjw56E6/YljtnkE6fiIMghJ1vX4mbNOwA9Z7+DJogVAh553+7/ONFySrcGcn/9ExIRDwg8mqii4 lHidZlxgUo8vdfVh5qS/K3Vb4tvvTGYOzuUoZ4YWGhkgm3mekoo617zBLP0w7EP3F/ZIRNutxjo ZaZrbOR+1ZMYGljGSpkYazlzlp3Ami9z3DPNMomc1ld1LyZA24JQaBouhcp2KgpcaVUtUJK+k50 StyBoOs93VL6+fvTQhOiAoNLGsnCJ+LSzHGZfHgiuSefZZA0JumTG0VayEjD/buaodMJ8/aVkvc FRZ9N4= X-Received: by 2002:a05:7300:6423:b0:2be:1f56:ecf6 with SMTP id 5a478bee46e88-2be30fcff4bmr1485430eec.6.1772668471087; Wed, 04 Mar 2026 15:54:31 -0800 (PST) Received: from localhost.localdomain (c-67-164-93-214.hsd1.ca.comcast.net. [67.164.93.214]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2be12805b93sm9269888eec.15.2026.03.04.15.54.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Mar 2026 15:54:30 -0800 (PST) From: Sanman Pradhan To: Guenter Roeck Cc: psanman@juniper.net, andriy.shevchenko@intel.com, linux-hwmon@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v3] hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read Date: Wed, 4 Mar 2026 15:51:17 -0800 Message-Id: <20260304235116.1045-1-sanman.p211993@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sanman Pradhan The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call. Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ1= 08A2") Cc: stable@vger.kernel.org Signed-off-by: Sanman Pradhan --- v3: - Added in-body From: header to fix author/sender mismatch. v2: - Fixed email formatting/line-wrapping issues. --- drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/hwmon/pmbus/q54sj108a2.c b/drivers/hwmon/pmbus/q54sj10= 8a2.c index fc030ca34480..d5d60a9af8c5 100644 --- a/drivers/hwmon/pmbus/q54sj108a2.c +++ b/drivers/hwmon/pmbus/q54sj108a2.c @@ -79,7 +79,8 @@ static ssize_t q54sj108a2_debugfs_read(struct file *file,= char __user *buf, int idx =3D *idxp; struct q54sj108a2_data *psu =3D to_psu(idxp, idx); char data[I2C_SMBUS_BLOCK_MAX + 2] =3D { 0 }; - char data_char[I2C_SMBUS_BLOCK_MAX + 2] =3D { 0 }; + char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] =3D { 0 }; + char *out =3D data; char *res; =20 switch (idx) { @@ -150,27 +151,27 @@ static ssize_t q54sj108a2_debugfs_read(struct file *f= ile, char __user *buf, if (rc < 0) return rc; =20 - res =3D bin2hex(data, data_char, 32); - rc =3D res - data; - + res =3D bin2hex(data_char, data, rc); + rc =3D res - data_char; + out =3D data_char; break; case Q54SJ108A2_DEBUGFS_FLASH_KEY: rc =3D i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, dat= a); if (rc < 0) return rc; =20 - res =3D bin2hex(data, data_char, 4); - rc =3D res - data; - + res =3D bin2hex(data_char, data, rc); + rc =3D res - data_char; + out =3D data_char; break; default: return -EINVAL; } =20 - data[rc] =3D '\n'; + out[rc] =3D '\n'; rc +=3D 2; =20 - return simple_read_from_buffer(buf, count, ppos, data, rc); + return simple_read_from_buffer(buf, count, ppos, out, rc); } =20 static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __us= er *buf, --=20 2.34.1