| Message ID | 20241204-iio_memset_scan_holes-v2-1-3f941592a76d@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | iio: fix information leaks in triggered buffers | expand |
On Wed, 04 Dec 2024 00:55:31 +0100 Javier Carrasco <javier.carrasco.cruz@gmail.com> wrote: > The 'scan' local struct is used to push data to user space from a > triggered buffer, but it has a hole between the two 16-bit data channels > and the timestamp. This hole is never initialized. > > Initialize the struct to zero before using it to avoid pushing > uninitialized information to userspace. > > Cc: stable@vger.kernel.org > Fixes: 91f75ccf9f03 ("iio: temperature: tmp006: add triggered buffer support") > Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com> Applied but dropped the stable tag. The patch this is fixing isn't in a release yet. Jonathan > --- > drivers/iio/temperature/tmp006.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/iio/temperature/tmp006.c b/drivers/iio/temperature/tmp006.c > index 0c844137d7aa..02b27f471baa 100644 > --- a/drivers/iio/temperature/tmp006.c > +++ b/drivers/iio/temperature/tmp006.c > @@ -252,6 +252,8 @@ static irqreturn_t tmp006_trigger_handler(int irq, void *p) > } scan; > s32 ret; > > + memset(&scan, 0, sizeof(scan)); > + > ret = i2c_smbus_read_word_data(data->client, TMP006_VOBJECT); > if (ret < 0) > goto err; >
diff --git a/drivers/iio/temperature/tmp006.c b/drivers/iio/temperature/tmp006.c index 0c844137d7aa..02b27f471baa 100644 --- a/drivers/iio/temperature/tmp006.c +++ b/drivers/iio/temperature/tmp006.c @@ -252,6 +252,8 @@ static irqreturn_t tmp006_trigger_handler(int irq, void *p) } scan; s32 ret; + memset(&scan, 0, sizeof(scan)); + ret = i2c_smbus_read_word_data(data->client, TMP006_VOBJECT); if (ret < 0) goto err;
The 'scan' local struct is used to push data to user space from a triggered buffer, but it has a hole between the two 16-bit data channels and the timestamp. This hole is never initialized. Initialize the struct to zero before using it to avoid pushing uninitialized information to userspace. Cc: stable@vger.kernel.org Fixes: 91f75ccf9f03 ("iio: temperature: tmp006: add triggered buffer support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com> --- drivers/iio/temperature/tmp006.c | 2 ++ 1 file changed, 2 insertions(+)