1. Patchew
  2. linux
  3. View series

[PATCH] iio: chemical: mhz19b: reject oversized serial replies

Pengpeng Hou posted 1 patch 2 months, 1 week ago 
drivers/iio/chemical/mhz19b.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
[PATCH] iio: chemical: mhz19b: reject oversized serial replies
Posted by Pengpeng Hou 2 months, 1 week ago 
mhz19b_receive_buf() appends each serdev chunk into the fixed
MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
checking that the chunk fits in the remaining space. A large callback
can therefore overflow st->buf before the command path validates the
reply.

Reset the reply state before each command and reject oversized serial
replies before copying them into the fixed buffer. When an oversized
reply is detected, wake the waiter and report -EMSGSIZE instead of
overwriting st->buf.

Fixes: 4572a70b3681 ("iio: chemical: Add support for Winsen MHZ19B CO2 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/iio/chemical/mhz19b.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/drivers/iio/chemical/mhz19b.c b/drivers/iio/chemical/mhz19b.c
index 3c64154918b1..90c997191c83 100644
--- a/drivers/iio/chemical/mhz19b.c
+++ b/drivers/iio/chemical/mhz19b.c
@@ -52,6 +52,7 @@ struct mhz19b_state {
 	struct completion buf_ready;
 
 	u8 buf_idx;
+	bool buf_overflow;
 	/*
 	 * Serdev receive buffer.
 	 * When data is received from the MH-Z19B,
@@ -106,6 +107,10 @@ static int mhz19b_serdev_cmd(struct iio_dev *indio_dev, int cmd, u16 arg)
 	cmd_buf[8] = mhz19b_get_checksum(cmd_buf);
 
 	/* Write buf to uart ctrl synchronously */
+	st->buf_idx = 0;
+	st->buf_overflow = false;
+	reinit_completion(&st->buf_ready);
+
 	ret = serdev_device_write(serdev, cmd_buf, MHZ19B_CMD_SIZE, 0);
 	if (ret < 0)
 		return ret;
@@ -121,6 +126,9 @@ static int mhz19b_serdev_cmd(struct iio_dev *indio_dev, int cmd, u16 arg)
 		if (!ret)
 			return -ETIMEDOUT;
 
+		if (st->buf_overflow)
+			return -EMSGSIZE;
+
 		if (st->buf[8] != mhz19b_get_checksum(st->buf)) {
 			dev_err(dev, "checksum err");
 			return -EINVAL;
@@ -240,6 +248,14 @@ static size_t mhz19b_receive_buf(struct serdev_device *serdev,
 {
 	struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
 	struct mhz19b_state *st = iio_priv(indio_dev);
+	size_t remaining = MHZ19B_CMD_SIZE - st->buf_idx;
+
+	if (len > remaining) {
+		st->buf_idx = 0;
+		st->buf_overflow = true;
+		complete(&st->buf_ready);
+		return len;
+	}
 
 	memcpy(st->buf + st->buf_idx, data, len);
 	st->buf_idx += len;
-- 
2.50.1 (Apple Git-155)
Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies
Posted by Gyeyoung Baek 2 months, 1 week ago 
Hello,

On Thu, Apr 2, 2026 at 2:40 PM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> mhz19b_receive_buf() appends each serdev chunk into the fixed
> MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> checking that the chunk fits in the remaining space. A large callback
> can therefore overflow st->buf before the command path validates the
> reply.
>
> Reset the reply state before each command and reject oversized serial
> replies before copying them into the fixed buffer. When an oversized
> reply is detected, wake the waiter and report -EMSGSIZE instead of
> overwriting st->buf.
>

Acked-by: Gyeyoung Baek <gye976@gmail.com>

-- 
Thanks,
Gyeyoung
Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies
Posted by Andy Shevchenko 2 months, 1 week ago 
On Thu, Apr 02, 2026 at 01:40:15PM +0800, Pengpeng Hou wrote:
> mhz19b_receive_buf() appends each serdev chunk into the fixed
> MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> checking that the chunk fits in the remaining space. A large callback
> can therefore overflow st->buf before the command path validates the
> reply.
> 
> Reset the reply state before each command and reject oversized serial
> replies before copying them into the fixed buffer. When an oversized
> reply is detected, wake the waiter and report -EMSGSIZE instead of
> overwriting st->buf.

...

>  	struct completion buf_ready;
>  
>  	u8 buf_idx;
> +	bool buf_overflow;

+ blank line here.

(No need to resend just for this.)

-- 
With Best Regards,
Andy Shevchenko
Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies
Posted by Jonathan Cameron 2 months ago 
On Thu, 2 Apr 2026 11:39:04 +0300
Andy Shevchenko <andriy.shevchenko@intel.com> wrote:

> On Thu, Apr 02, 2026 at 01:40:15PM +0800, Pengpeng Hou wrote:
> > mhz19b_receive_buf() appends each serdev chunk into the fixed
> > MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> > checking that the chunk fits in the remaining space. A large callback
> > can therefore overflow st->buf before the command path validates the
> > reply.
> > 
> > Reset the reply state before each command and reject oversized serial
> > replies before copying them into the fixed buffer. When an oversized
> > reply is detected, wake the waiter and report -EMSGSIZE instead of
> > overwriting st->buf.  
> 
> ...
> 
> >  	struct completion buf_ready;
> >  
> >  	u8 buf_idx;
> > +	bool buf_overflow;  
> 
> + blank line here.
> 
> (No need to resend just for this.)
> 

This version addressed the comment I just made on v2 so all good.

I tweaked whilst applying.
Applied to the fixes-togreg branch of iio.git.

Note I'm unlikely to send another fixes pull request this cycle, so
I'll rebase that branch on rc1 once available and send out then.

Thanks,

Jonathan

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.