In the Linux kernel, the following vulnerability has been resolved:
iio: Fix the sorting functionality in iio_gts_build_avail_time_table
The sorting in iio_gts_build_avail_time_table is not working as intended. It could result in an out-of-bounds access when the time is zero.
Here are more details:
- When the gts->itime_table[i].time_us is zero, e.g., the time
3, 0, 1, the inner for-loop will not terminate and do
out-of-bound writes. This is because once times[j] > new, the value
new will be added in the current position and the times[j] will be
moved to j+1 position, which makes the if-condition always hold.
Meanwhile, idx will be added one, making the loop keep running without
termination and out-of-bound write.
- If none of the gts->itime_table[i].time_us is zero, the elements
For more details, please refer to https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com.