All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
	Akinobu Mita <akinobu.mita@gmail.com>,
	Jonathan Cameron <Jonathan.Cameron@huawei.com>,
	Andy Shevchenko <andy.shevchenko@gmail.com>,
	Stable@vger.kernel.org
Subject: [PATCH 4.14 30/94] iio:adc:max1118 Fix alignment of timestamp and data leak issues
Date: Mon, 21 Sep 2020 18:27:17 +0200	[thread overview]
Message-ID: <20200921162036.941209076@linuxfoundation.org> (raw)
In-Reply-To: <20200921162035.541285330@linuxfoundation.org>

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

commit db8f06d97ec284dc018e2e4890d2e5035fde8630 upstream.

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here.  We close both issues by
moving to a suitable structure in the iio_priv() data.

This data is allocated with kzalloc so no data can leak apart
from previous readings.

The explicit alignment of ts is necessary to ensure correct padding
on architectures where s64 is only 4 bytes aligned such as x86_32.

Fixes: a9e9c7153e96 ("iio: adc: add max1117/max1118/max1119 ADC driver")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Cc: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/max1118.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/iio/adc/max1118.c
+++ b/drivers/iio/adc/max1118.c
@@ -38,6 +38,11 @@ struct max1118 {
 	struct spi_device *spi;
 	struct mutex lock;
 	struct regulator *reg;
+	/* Ensure natural alignment of buffer elements */
+	struct {
+		u8 channels[2];
+		s64 ts __aligned(8);
+	} scan;
 
 	u8 data ____cacheline_aligned;
 };
@@ -163,7 +168,6 @@ static irqreturn_t max1118_trigger_handl
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct max1118 *adc = iio_priv(indio_dev);
-	u8 data[16] = { }; /* 2x 8-bit ADC data + padding + 8 bytes timestamp */
 	int scan_index;
 	int i = 0;
 
@@ -181,10 +185,10 @@ static irqreturn_t max1118_trigger_handl
 			goto out;
 		}
 
-		data[i] = ret;
+		adc->scan.channels[i] = ret;
 		i++;
 	}
-	iio_push_to_buffers_with_timestamp(indio_dev, data,
+	iio_push_to_buffers_with_timestamp(indio_dev, &adc->scan,
 					   iio_get_time_ns(indio_dev));
 out:
 	mutex_unlock(&adc->lock);



  parent reply	other threads:[~2020-09-21 16:37 UTC|newest]

Thread overview: 98+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-21 16:26 [PATCH 4.14 00/94] 4.14.199-rc1 review Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 01/94] ARM: dts: socfpga: fix register entry for timer3 on Arria10 Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 02/94] RDMA/rxe: Fix memleak in rxe_mem_init_user Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 03/94] RDMA/rxe: Drop pointless checks in rxe_init_ports Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 04/94] scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 05/94] RDMA/core: Fix reported speed and width Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 06/94] mmc: sdhci-msm: Add retries when all tuning phases are found valid Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 07/94] ARM: dts: BCM5301X: Fixed QSPI compatible string Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 08/94] arm64: dts: ns2: " Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 09/94] ARC: HSDK: wireup perf irq Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 10/94] dmaengine: acpi: Put the CSRT table after using it Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 11/94] drivers/net/wan/lapbether: Added needed_tailroom Greg Kroah-Hartman
2020-09-21 16:26 ` [PATCH 4.14 12/94] NFC: st95hf: Fix memleak in st95hf_in_send_cmd Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 13/94] firestream: Fix memleak in fs_open Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 14/94] ALSA: hda: Fix 2 channel swapping for Tegra Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 15/94] drivers/net/wan/lapbether: Set network_header before transmitting Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 16/94] xfs: initialize the shortform attr header padding entry Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 17/94] irqchip/eznps: Fix build error for !ARC700 builds Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 18/94] drivers/net/wan/hdlc_cisco: Add hard_header_len Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 19/94] ARC: [plat-hsdk]: Switch ethernet phy-mode to rgmii-id Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 20/94] cpufreq: intel_pstate: Refuse to turn off with HWP enabled Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 21/94] ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 22/94] gcov: Disable gcov build with GCC 10 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 23/94] iio: adc: mcp3422: fix locking scope Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 24/94] iio: adc: mcp3422: fix locking on error path Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 25/94] iio: adc: ti-ads1015: fix conversion when CONFIG_PM is not set Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 26/94] iio:light:ltr501 Fix timestamp alignment issue Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 27/94] iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 28/94] iio:adc:ti-adc084s021 Fix alignment and data leak issues Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 29/94] iio:adc:ina2xx Fix timestamp alignment issue Greg Kroah-Hartman
2020-09-21 16:27 ` Greg Kroah-Hartman [this message]
2020-09-21 16:27 ` [PATCH 4.14 31/94] iio:adc:ti-adc081c Fix alignment and data leak issues Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 32/94] iio:magnetometer:ak8975 " Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 33/94] iio:light:max44000 Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 34/94] iio:chemical:ccs811: " Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 35/94] iio: accel: kxsd9: Fix alignment of local buffer Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 36/94] iio:accel:mma7455: Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 37/94] iio:accel:mma8452: " Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 38/94] staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 39/94] btrfs: require only sector size alignment for parent eb bytenr Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 40/94] btrfs: fix lockdep splat in add_missing_dev Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 41/94] btrfs: fix wrong address when faulting in pages in the search ioctl Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 42/94] regulator: push allocation in set_consumer_device_supply() out of lock Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 43/94] scsi: target: iscsi: Fix data digest calculation Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 44/94] scsi: target: iscsi: Fix hang in iscsit_access_np() when getting tpg->np_login_sem Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 45/94] rbd: require global CAP_SYS_ADMIN for mapping and unmapping Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 46/94] RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 47/94] fbcon: remove soft scrollback code Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 48/94] fbcon: remove now unusued softback_lines cursor() argument Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 49/94] vgacon: remove software scrollback support Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 50/94] KVM: VMX: Dont freeze guest when event delivery causes an APIC-access exit Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 51/94] ARM: dts: vfxxx: Add syscon compatible with OCOTP Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 52/94] video: fbdev: fix OOB read in vga_8planes_imageblit() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 53/94] staging: greybus: audio: fix uninitialized value issue Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 54/94] usb: core: fix slab-out-of-bounds Read in read_descriptors Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 55/94] USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 56/94] USB: serial: option: support dynamic Quectel USB compositions Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 57/94] USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 58/94] usb: Fix out of sync data toggle if a configured device is reconfigured Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 59/94] usb: typec: ucsi: acpi: Check the _DEP dependencies Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 60/94] gcov: add support for GCC 10.1 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 61/94] gfs2: initialize transaction tr_ailX_lists earlier Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 62/94] net: handle the return value of pskb_carve_frag_list() correctly Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 63/94] hv_netvsc: Remove "unlikely" from netvsc_select_queue Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 64/94] NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 65/94] scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 66/94] scsi: libfc: Fix for double free() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 67/94] scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 68/94] spi: spi-loopback-test: Fix out-of-bounds read Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 69/94] SUNRPC: stop printk reading past end of string Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 70/94] rapidio: Replace select DMAENGINES with depends on Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 71/94] nvme-fc: cancel async events before freeing event struct Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.14 72/94] f2fs: fix indefinite loop scanning for free nid Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 73/94] i2c: algo: pca: Reapply i2c bus settings after reset Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 74/94] spi: Fix memory leak on splited transfers Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 75/94] KVM: MIPS: Change the definition of kvm type Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 76/94] clk: rockchip: Fix initialization of mux_pll_src_4plls_p Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 77/94] Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 78/94] MIPS: SNI: Fix MIPS_L1_CACHE_SHIFT Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 79/94] perf test: Free formats for perf pmu parse test Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 80/94] fbcon: Fix user font detection test at fbcon_resize() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 81/94] MIPS: SNI: Fix spurious interrupts Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 82/94] drm/mediatek: Add exception handing in mtk_drm_probe() if component init fail Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 83/94] drm/mediatek: Add missing put_device() call in mtk_hdmi_dt_parse_pdata() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 84/94] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 85/94] USB: UAS: fix disconnect by unplugging a hub Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 86/94] usblp: fix race between disconnect() and read() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 87/94] i2c: i801: Fix resume bug Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 88/94] percpu: fix first chunk size calculation for populated bitmap Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 89/94] Input: trackpoint - add new trackpoint variant IDs Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 90/94] Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset lists Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 91/94] serial: 8250_pci: Add Realtek 816a and 816b Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 92/94] ehci-hcd: Move include to keep CRC stable Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 93/94] powerpc/dma: Fix dma_map_ops::get_required_mask Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.14 94/94] x86/defconfig: Enable CONFIG_USB_XHCI_HCD=y Greg Kroah-Hartman
2020-09-22  6:46 ` [PATCH 4.14 00/94] 4.14.199-rc1 review Jon Hunter
2020-09-22 12:02 ` Naresh Kamboju
2020-09-22 20:18 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200921162036.941209076@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=Jonathan.Cameron@huawei.com \
    --cc=akinobu.mita@gmail.com \
    --cc=andy.shevchenko@gmail.com \
    --cc=lars@metafoo.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.