In the Linux kernel, the following vulnerability has been resolved:
iio: Fix the sorting functionality in iiogtsbuildavailtime_table
The sorting in iiogtsbuildavailtime_table is not working as intended. It could result in an out-of-bounds access when the time is zero.
Here are more details:
3, 0, 1
, the inner for-loop will not terminate and do
out-of-bound writes. This is because once times[j] > new
, the value
new
will be added in the current position and the times[j]
will be
moved to j+1
position, which makes the if-condition always hold.
Meanwhile, idx will be added one, making the loop keep running without
termination and out-of-bound write.For more details, please refer to https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com.