In the Linux kernel, the following vulnerability has been resolved:
iio: health: afe4403: Fix oob read in afe4403readraw
KASAN report out-of-bounds read as follows:
BUG: KASAN: global-out-of-bounds in afe4403readraw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279
Call Trace: afe4403readraw iioreadchannelinfo devattr_show
The buggy address belongs to the variable: afe4403channelleds+0x18/0xffffffffffffe9e0
This issue can be reproduced by singe command:
$ cat /sys/bus/spi/devices/spi0.0/iio\:device0/inintensity6raw
The array size of afe4403channelleds is less than channels, so access with chan->address cause OOB read in afe4403readraw. Fix it by moving access before use it.
{ "vanir_signatures": [ { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@726fa3e4ab97dcff1c745bdc4fb137366cb8d3df", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-06d5db41", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c9268df36818ee4eaaaeadc80009b442a5ca69c9", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-0a832a1f", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@06c6ce21cec77dfa860d57e7a006000a57812efb", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-0baa4b38", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1756af172fb80a3edc143772d49e166ec691b6c", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-2d2f8937", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c9268df36818ee4eaaaeadc80009b442a5ca69c9", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-355c2dc4", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d6a437064ffbe685c67ddb16dfc0946074c6c3f", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-4f7522b1", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d6a437064ffbe685c67ddb16dfc0946074c6c3f", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-641d47ab", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58143c1ed5882c138a3cd2251a336fc8755f23d9", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-8fd9cc6a", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@98afcb5f3be645d330c74c5194ba0d80e26f95e0", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-a0dcff26", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@726fa3e4ab97dcff1c745bdc4fb137366cb8d3df", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-aa47c7e1", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7e76a77aabef8989cbc0a8417af1aa040620867", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-b64855a8", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1756af172fb80a3edc143772d49e166ec691b6c", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-bce5ac24", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7e76a77aabef8989cbc0a8417af1aa040620867", "digest": { "threshold": 0.9, "line_hashes": [ "114433881119311130546352313161786666734", "303688631831028170472440182502154800358", "116056715193468670732929713805308460550", "245423751296172170587525460815645814462", "195611271617792441139211944532120733926", "73785172728923363044148037010832941047", "82400954021087591184568302353051725503", "326407924203194349808029339907329445070", "138486577575315658736858920533347544035", "217046300876584851160298516528818199417", "300152716627486013792263234380419424625", "171017772206944148129299678379125692079", "142860801048277184232372066777621020348", "157960204771988284551732154665729709892" ] }, "id": "CVE-2022-49031-bfc23c8d", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58143c1ed5882c138a3cd2251a336fc8755f23d9", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-c5a292c8", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@06c6ce21cec77dfa860d57e7a006000a57812efb", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-cd8933b1", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "target": { "file": "drivers/iio/health/afe4403.c", "function": "afe4403_read_raw" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@98afcb5f3be645d330c74c5194ba0d80e26f95e0", "digest": { "length": 775.0, "function_hash": "317104073480058734441946103363751340313" }, "id": "CVE-2022-49031-d90c1903", "deprecated": false, "signature_type": "Function", "signature_version": "v1" } ] }