From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Andy Shevchenko <andy.shevchenko@gmail.com>,
Stable@vger.kernel.org
Subject: [PATCH 4.9 21/70] iio:adc:ti-adc081c Fix alignment and data leak issues
Date: Mon, 21 Sep 2020 18:27:21 +0200 [thread overview]
Message-ID: <20200921162036.086090915@linuxfoundation.org> (raw)
In-Reply-To: <20200921162035.136047591@linuxfoundation.org>
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
commit 54f82df2ba86e2a8e9cbf4036d192366e3905c89 upstream.
One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes). This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here. We close both issues by
moving to a suitable structure in the iio_priv().
This data is allocated with kzalloc so no data can leak apart
from previous readings.
The eplicit alignment of ts is necessary to ensure correct padding
on x86_32 where s64 is only aligned to 4 bytes.
Fixes: 08e05d1fce5c ("ti-adc081c: Initial triggered buffer support")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-adc081c.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/iio/adc/ti-adc081c.c
+++ b/drivers/iio/adc/ti-adc081c.c
@@ -36,6 +36,12 @@ struct adc081c {
/* 8, 10 or 12 */
int bits;
+
+ /* Ensure natural alignment of buffer elements */
+ struct {
+ u16 channel;
+ s64 ts __aligned(8);
+ } scan;
};
#define REG_CONV_RES 0x00
@@ -132,14 +138,13 @@ static irqreturn_t adc081c_trigger_handl
struct iio_poll_func *pf = p;
struct iio_dev *indio_dev = pf->indio_dev;
struct adc081c *data = iio_priv(indio_dev);
- u16 buf[8]; /* 2 bytes data + 6 bytes padding + 8 bytes timestamp */
int ret;
ret = i2c_smbus_read_word_swapped(data->i2c, REG_CONV_RES);
if (ret < 0)
goto out;
- buf[0] = ret;
- iio_push_to_buffers_with_timestamp(indio_dev, buf,
+ data->scan.channel = ret;
+ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
iio_get_time_ns(indio_dev));
out:
iio_trigger_notify_done(indio_dev->trig);
next prev parent reply other threads:[~2020-09-21 16:34 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 16:27 [PATCH 4.9 00/70] 4.9.237-rc1 review Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 01/70] ARM: dts: socfpga: fix register entry for timer3 on Arria10 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 02/70] RDMA/rxe: Fix memleak in rxe_mem_init_user Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 03/70] RDMA/rxe: Drop pointless checks in rxe_init_ports Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 04/70] scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 05/70] drivers/net/wan/lapbether: Added needed_tailroom Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 06/70] NFC: st95hf: Fix memleak in st95hf_in_send_cmd Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 07/70] firestream: Fix memleak in fs_open Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 08/70] ALSA: hda: Fix 2 channel swapping for Tegra Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 09/70] drivers/net/wan/lapbether: Set network_header before transmitting Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 10/70] xfs: initialize the shortform attr header padding entry Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 11/70] irqchip/eznps: Fix build error for !ARC700 builds Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 12/70] drivers/net/wan/hdlc_cisco: Add hard_header_len Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 13/70] ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 14/70] gcov: Disable gcov build with GCC 10 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 15/70] iio: adc: mcp3422: fix locking scope Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 16/70] iio: adc: mcp3422: fix locking on error path Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 17/70] iio: adc: ti-ads1015: fix conversion when CONFIG_PM is not set Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 18/70] iio:light:ltr501 Fix timestamp alignment issue Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 19/70] iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 20/70] iio:adc:ina2xx Fix timestamp alignment issue Greg Kroah-Hartman
2020-09-21 16:27 ` Greg Kroah-Hartman [this message]
2020-09-21 16:27 ` [PATCH 4.9 22/70] drivers: iio: magnetometer: Fix sparse endianness warnings cast to restricted __be16 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 23/70] iio:magnetometer:ak8975 Fix alignment and data leak issues Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 24/70] iio:light:max44000 Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 25/70] iio: accel: kxsd9: Fix alignment of local buffer Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 26/70] iio:accel:mma7455: Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 27/70] iio:accel:mma8452: " Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 28/70] USB: core: add helpers to retrieve endpoints Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 29/70] staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 30/70] btrfs: fix wrong address when faulting in pages in the search ioctl Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 31/70] regulator: push allocation in set_consumer_device_supply() out of lock Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 32/70] scsi: target: iscsi: Fix data digest calculation Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 33/70] scsi: target: iscsi: Fix hang in iscsit_access_np() when getting tpg->np_login_sem Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 34/70] rbd: require global CAP_SYS_ADMIN for mapping and unmapping Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 35/70] fbcon: remove soft scrollback code Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 36/70] fbcon: remove now unusued softback_lines cursor() argument Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 37/70] vgacon: remove software scrollback support Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 38/70] KVM: VMX: Dont freeze guest when event delivery causes an APIC-access exit Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 39/70] video: fbdev: fix OOB read in vga_8planes_imageblit() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 40/70] staging: greybus: audio: fix uninitialized value issue Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 41/70] usb: core: fix slab-out-of-bounds Read in read_descriptors Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 42/70] USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 43/70] USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 44/70] usb: Fix out of sync data toggle if a configured device is reconfigured Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 45/70] IB/rxe: Remove a pointless indirection layer Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 46/70] RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 47/70] gcov: add support for GCC 10.1 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 48/70] net: handle the return value of pskb_carve_frag_list() correctly Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 49/70] NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 50/70] scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 51/70] scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 52/70] spi: spi-loopback-test: Fix out-of-bounds read Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 53/70] SUNRPC: stop printk reading past end of string Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 54/70] rapidio: Replace select DMAENGINES with depends on Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 55/70] i2c: algo: pca: Reapply i2c bus settings after reset Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 56/70] clk: rockchip: Fix initialization of mux_pll_src_4plls_p Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 57/70] Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 58/70] MIPS: SNI: Fix MIPS_L1_CACHE_SHIFT Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.9 59/70] perf test: Free formats for perf pmu parse test Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 60/70] fbcon: Fix user font detection test at fbcon_resize() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 61/70] MIPS: SNI: Fix spurious interrupts Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 62/70] drm/mediatek: Add exception handing in mtk_drm_probe() if component init fail Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 63/70] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 64/70] USB: UAS: fix disconnect by unplugging a hub Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 65/70] usblp: fix race between disconnect() and read() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 66/70] Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset lists Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 67/70] serial: 8250_pci: Add Realtek 816a and 816b Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 68/70] ehci-hcd: Move include to keep CRC stable Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 69/70] powerpc/dma: Fix dma_map_ops::get_required_mask Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.9 70/70] x86/defconfig: Enable CONFIG_USB_XHCI_HCD=y Greg Kroah-Hartman
2020-09-22 6:46 ` [PATCH 4.9 00/70] 4.9.237-rc1 review Jon Hunter
2020-09-22 12:24 ` Naresh Kamboju
2020-09-22 20:17 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200921162036.086090915@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=andy.shevchenko@gmail.com \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.