From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Stable@vger.kernel.org,
Tomasz Duszynski <tomasz.duszynski@octakon.com>
Subject: [PATCH 5.7 08/24] iio:chemical:pms7003: Fix timestamp alignment and prevent data leak.
Date: Tue, 9 Jun 2020 19:45:39 +0200 [thread overview]
Message-ID: <20200609174149.993708614@linuxfoundation.org> (raw)
In-Reply-To: <20200609174149.255223112@linuxfoundation.org>
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
commit 13e945631c2ffb946c0af342812a3cd39227de6e upstream.
One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes). This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here. We close both issues by
moving to a suitable structure in the iio_priv() data with alignment
explicitly requested. This data is allocated with kzalloc so no
data can leak appart from previous readings.
Fixes: a1d642266c14 ("iio: chemical: add support for Plantower PMS7003 sensor")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: <Stable@vger.kernel.org>
Acked-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/pms7003.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/iio/chemical/pms7003.c
+++ b/drivers/iio/chemical/pms7003.c
@@ -73,6 +73,11 @@ struct pms7003_state {
struct pms7003_frame frame;
struct completion frame_ready;
struct mutex lock; /* must be held whenever state gets touched */
+ /* Used to construct scan to push to the IIO buffer */
+ struct {
+ u16 data[3]; /* PM1, PM2P5, PM10 */
+ s64 ts;
+ } scan;
};
static int pms7003_do_cmd(struct pms7003_state *state, enum pms7003_cmd cmd)
@@ -104,7 +109,6 @@ static irqreturn_t pms7003_trigger_handl
struct iio_dev *indio_dev = pf->indio_dev;
struct pms7003_state *state = iio_priv(indio_dev);
struct pms7003_frame *frame = &state->frame;
- u16 data[3 + 1 + 4]; /* PM1, PM2P5, PM10, padding, timestamp */
int ret;
mutex_lock(&state->lock);
@@ -114,12 +118,15 @@ static irqreturn_t pms7003_trigger_handl
goto err;
}
- data[PM1] = pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
- data[PM2P5] = pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
- data[PM10] = pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
+ state->scan.data[PM1] =
+ pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
+ state->scan.data[PM2P5] =
+ pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
+ state->scan.data[PM10] =
+ pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
mutex_unlock(&state->lock);
- iio_push_to_buffers_with_timestamp(indio_dev, data,
+ iio_push_to_buffers_with_timestamp(indio_dev, &state->scan,
iio_get_time_ns(indio_dev));
err:
iio_trigger_notify_done(indio_dev->trig);
next prev parent reply other threads:[~2020-06-09 17:56 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 17:45 [PATCH 5.7 00/24] 5.7.2-rc1 review Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 01/24] USB: serial: qcserial: add DW5816e QDL support Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 02/24] USB: serial: usb_wwan: do not resubmit rx urb on fatal errors Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 03/24] USB: serial: option: add Telit LE910C1-EUX compositions Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 04/24] USB: serial: ch341: add basis for quirk detection Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 05/24] USB: serial: ch341: fix lockup of devices with limited prescaler Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 06/24] iio:chemical:sps30: Fix timestamp alignment Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 07/24] iio: vcnl4000: Fix i2c swapped word reading Greg Kroah-Hartman
2020-06-09 17:45 ` Greg Kroah-Hartman [this message]
2020-06-09 17:45 ` [PATCH 5.7 09/24] iio: adc: stm32-adc: fix a wrong error message when probing interrupts Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 10/24] usb: musb: start session in resume for host port Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 11/24] usb: musb: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 12/24] usb: musb: jz4740: Prevent lockup when CONFIG_SMP is set Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 13/24] serial: 8250: Enable 16550A variants by default on non-x86 Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 14/24] vt: keyboard: avoid signed integer overflow in k_ascii Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 15/24] tty: hvc_console, fix crashes on parallel open/close Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 16/24] staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 17/24] CDC-ACM: heed quirk also in error handling Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 18/24] nvmem: qfprom: remove incorrect write support Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 19/24] x86/cpu: Add a steppings field to struct x86_cpu_id Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 20/24] x86/cpu: Add table argument to cpu_matches() Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 21/24] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 22/24] x86/speculation: Add SRBDS vulnerability and mitigation documentation Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 23/24] x86/speculation: Add Ivy Bridge to affected list Greg Kroah-Hartman
2020-06-09 17:45 ` [PATCH 5.7 24/24] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned Greg Kroah-Hartman
2020-06-10 6:17 ` [PATCH 5.7 00/24] 5.7.2-rc1 review Naresh Kamboju
2020-06-10 18:39 ` Greg Kroah-Hartman
2020-06-10 11:30 ` Jon Hunter
2020-06-10 11:50 ` Greg Kroah-Hartman
2020-06-10 13:13 ` Shuah Khan
2020-06-10 19:11 ` Guenter Roeck
2020-06-11 7:20 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200609174149.993708614@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tomasz.duszynski@octakon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).