From patchwork Sun May 17 17:29:50 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554217
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DA8E7913
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:07 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id BCE7E207E8
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736727;
	bh=Z7VxFsNB9LM9hUPq/XJa4cJQiQ2taNpfFzDMic5EeQ4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=wEOvz64L/h2lNlUdhQI9AOFBoIQ9Wnl9Qu6OkySZkEImgQib366BKjN5u3J2+l6JR
	 FK5BC09NVhWGhO/Il8vQq1iOOwDpbbykI1/cytHFNs5YYbtPaf/UGMo5qZyjGTCzm7
	 JJJXXhATDcEJM7duRzisplUep0QByBE4YEpOhYDY=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726290AbgEQRcH (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:07 -0400
Received: from mail.kernel.org ([198.145.29.99]:51242 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726248AbgEQRcG (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:06 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BC7FA207DA;
        Sun, 17 May 2020 17:32:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736726;
        bh=Z7VxFsNB9LM9hUPq/XJa4cJQiQ2taNpfFzDMic5EeQ4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=fBQ5Sdw9H6KXbXCqM2yfV5Ot3ggOlqfrZTSaHaoDcXmdSJb7ou2DwhSUUHdy5epEn
         Qe6eplQpG45HectaVlUdTW904p3btjWdGpwzn5MlC3QvoauRS1P1Eyb3awr9ugafs1
         khXw5miZR7w6hcYbl+/3BjEqn38zWbDSaE8Juh3A=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>
Subject: [PATCH 01/11] iio: accel: kxsd9: Fix alignment of local buffer.
Date: Sun, 17 May 2020 18:29:50 +0100
Message-Id: <20200517173000.220819-2-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

iio_push_to_buffers_with_timestamp assumes 8 byte alignment which
is not guaranteed by an array of smaller elements.

Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 drivers/iio/accel/kxsd9.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
index 0b876b2dc5bd..f989e6ffda88 100644
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -209,14 +209,20 @@ static irqreturn_t kxsd9_trigger_handler(int irq, void *p)
 	const struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct kxsd9_state *st = iio_priv(indio_dev);
+	/*
+	 * Ensure correct positioning and alignment of timestamp.
+	 * No need to zero initialize as all elements written.
+	 */
+	struct {
+		__be16 chan[4];
+		s64 ts;
+	} hw_values;
 	int ret;
-	/* 4 * 16bit values AND timestamp */
-	__be16 hw_values[8];
 
 	ret = regmap_bulk_read(st->map,
 			       KXSD9_REG_X,
-			       &hw_values,
-			       8);
+			       hw_values.chan,
+			       sizeof(hw_values.chan));
 	if (ret) {
 		dev_err(st->dev,
 			"error reading data\n");
@@ -224,7 +230,7 @@ static irqreturn_t kxsd9_trigger_handler(int irq, void *p)
 	}
 
 	iio_push_to_buffers_with_timestamp(indio_dev,
-					   hw_values,
+					   &hw_values,
 					   iio_get_time_ns(indio_dev));
 	iio_trigger_notify_done(indio_dev->trig);
 

From patchwork Sun May 17 17:29:51 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554219
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F157E913
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:10 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id D35CF2067D
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736730;
	bh=NiZEO/LT9+bk7JD9gP6ufZO1nUkn5GdrFt7XQqd370s=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=kwTM7uYxSwPhdT77UqguCvlTV75RtGFE8yXwtk3a0Kj2lVTCMg25yTQXwkMhxJVD0
	 zFq9GPIvPkrTvM2xGcZOwJO2BThjf7W5r2QpfGPvFDC676jwPMDsl18PnXEKEt50f6
	 vJuso0qD7KVZdvdat99gTrOqdGfObGsGGznqCaDs=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726374AbgEQRcK (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:10 -0400
Received: from mail.kernel.org ([198.145.29.99]:51270 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726276AbgEQRcI (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:08 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D924A207ED;
        Sun, 17 May 2020 17:32:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736727;
        bh=NiZEO/LT9+bk7JD9gP6ufZO1nUkn5GdrFt7XQqd370s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=HVgTy8bqd9K6mPqaVmkD5LtPoXu5CfzGbh7PwedWBa6AkO5khiOMsDLJ5ITL3jmJ8
         ZGgJ4MTPARzzd0FJyAH//F+0S60up18p/5mBeFF8BeXncGrMQMusVWI8bN1HsWLWtY
         DpqUf+lMVK3JGEhrs4IyCdIex89fWug8VOqL14E4=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Peter Meerwald <pmeerw@pmeerw.net>
Subject: [PATCH 02/11] iio:accel:mma8452: Fix timestamp alignment and prevent
 data leak.
Date: Sun, 17 May 2020 18:29:51 +0100
Message-Id: <20200517173000.220819-3-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses a 16 byte u8 array on the stack.  As Lars also noted
this anti pattern can involve a leak of data to userspace and that
indeed can happen here.  We close both issues by moving to
a suitable structure in the iio_priv() data with alignment
ensured by use of an explicit c structure.  This data is allocated
with kzalloc so no data can leak appart from previous readings.

Fixes: c7eeea93ac60 ("iio: Add Freescale MMA8452Q 3-axis accelerometer driver")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Peter Meerwald <pmeerw@pmeerw.net>
---
 drivers/iio/accel/mma8452.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c
index 00e100fc845a..704867ffda7a 100644
--- a/drivers/iio/accel/mma8452.c
+++ b/drivers/iio/accel/mma8452.c
@@ -110,6 +110,12 @@ struct mma8452_data {
 	int sleep_val;
 	struct regulator *vdd_reg;
 	struct regulator *vddio_reg;
+
+	/* Ensure correct alignment of time stamp when present */
+	struct {
+		__be16 channels[3];
+		s64 ts;
+	} buffer;
 };
 
  /**
@@ -1091,14 +1097,13 @@ static irqreturn_t mma8452_trigger_handler(int irq, void *p)
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct mma8452_data *data = iio_priv(indio_dev);
-	u8 buffer[16]; /* 3 16-bit channels + padding + ts */
 	int ret;
 
-	ret = mma8452_read(data, (__be16 *)buffer);
+	ret = mma8452_read(data, data->buffer.channels);
 	if (ret < 0)
 		goto done;
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buffer,
+	iio_push_to_buffers_with_timestamp(indio_dev, &data->buffer,
 					   iio_get_time_ns(indio_dev));
 
 done:

From patchwork Sun May 17 17:29:52 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554221
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 21DDE14B7
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:11 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 050852067D
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736731;
	bh=FOrG8UWDVKJNMxjb0X/MNKghR0BM2Ws3q0sJ3IEFvUQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=wJ/oq4ORtFVhCAsqAL6UTBmuQHzyQjDa7W3/aA56HFaAChudw/rQ5kppc2u/4n+O4
	 TkszL7qrq5hSLy0Zl0y00kcyNnPzPyPXiaSi2ZHJjgQVCULDyVqPAxTwZfcNMOuGCA
	 oQNL/E95mnOe0hK2PA5dzVt/06yP7YF3rtNAjyks=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726276AbgEQRcK (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:10 -0400
Received: from mail.kernel.org ([198.145.29.99]:51312 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726341AbgEQRcJ (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:09 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2549D207F9;
        Sun, 17 May 2020 17:32:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736729;
        bh=FOrG8UWDVKJNMxjb0X/MNKghR0BM2Ws3q0sJ3IEFvUQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mgebiAvJycyKiIjO1BlFbkUER5jVJdtB8MiBYWiVSuX8ApGvElpQVNrEtVDSnlO95
         EjbfiiDmICyHW/uVE19elhBA2QnIIvA2dkm5QSnOFr8rwrtps+WPqyqwEkSFlryXyQ
         uDBDhNFrbdj5Iuha0de9UHqGYZUFb4fqO8VbD7bI=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Subject: [PATCH 03/11] iio:accel:bmc150-accel: Fix timestamp alignment and
 prevent data leak.
Date: Sun, 17 May 2020 18:29:52 +0100
Message-Id: <20200517173000.220819-4-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses a 16 byte array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here.  We close both issues by moving
to a suitable structure in the iio_priv() data with alignment
ensured by use of an explicit c structure.  This data is allocated
with kzalloc so no data can leak appart from previous readings.

Fixes tag is beyond some major refactoring so likely manual backporting
would be needed to get that far back.

Fixes: 3bbec9773389 ("iio: bmc150_accel: add support for hardware fifo")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
---
 drivers/iio/accel/bmc150-accel-core.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/accel/bmc150-accel-core.c b/drivers/iio/accel/bmc150-accel-core.c
index 121b4e89f038..b92e5a22feef 100644
--- a/drivers/iio/accel/bmc150-accel-core.c
+++ b/drivers/iio/accel/bmc150-accel-core.c
@@ -189,6 +189,14 @@ struct bmc150_accel_data {
 	struct mutex mutex;
 	u8 fifo_mode, watermark;
 	s16 buffer[8];
+	/*
+	 * Ensure there is sufficient space and correct alignment for
+	 * the timestamp if enabled
+	 */
+	struct {
+		__le16 channels[3];
+		s64 ts;
+	} scan;
 	u8 bw_bits;
 	u32 slope_dur;
 	u32 slope_thres;
@@ -922,15 +930,16 @@ static int __bmc150_accel_fifo_flush(struct iio_dev *indio_dev,
 	 * now.
 	 */
 	for (i = 0; i < count; i++) {
-		u16 sample[8];
 		int j, bit;
 
 		j = 0;
 		for_each_set_bit(bit, indio_dev->active_scan_mask,
 				 indio_dev->masklength)
-			memcpy(&sample[j++], &buffer[i * 3 + bit], 2);
+			memcpy(&data->scan.channels[j++], &buffer[i * 3 + bit],
+			       2);
 
-		iio_push_to_buffers_with_timestamp(indio_dev, sample, tstamp);
+		iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+						   tstamp);
 
 		tstamp += sample_period;
 	}

From patchwork Sun May 17 17:29:53 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554223
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6741490
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:11 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 49F8E20810
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736731;
	bh=RHgVpYE0WH0sv+hQelqIqq0LxK+4GDd/mUHkbhjDXU0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=bJ/hlQLdkyG6UFO3YUIbcmjDXM3V7GJrJVHRjH+KdSW8ciktvqBZAf0K0KLa4OnxK
	 1YQd+WUtYE72kogw3hUUxr/9Ud3vBW8IWL+gnGtpTR4V/oMFNoQVsLfl8H0dx4DXfr
	 LvChHBdE5ooUBS1DTV5hPrfTGdKTaxA1NHOG9PEM=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726341AbgEQRcL (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:11 -0400
Received: from mail.kernel.org ([198.145.29.99]:51328 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcK (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:10 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 65D9E207E8;
        Sun, 17 May 2020 17:32:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736730;
        bh=RHgVpYE0WH0sv+hQelqIqq0LxK+4GDd/mUHkbhjDXU0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=k51yluV1qBu3Gdfc+RtAJ1VvUC9qoqWym1plGPKSRVJSsmfGRIu2NfOfegoFosLKB
         s0+MIXHU2MJli8hE4KbOfDM84jnLa+59Ky1EGheI8ECCVCxTR0g0yI2n9dQqPVOX/E
         1AElcMo8NTOxzIDilAl8i+s6kavYpU7EppE4J4x8=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>
Subject: [PATCH 04/11] iio:accel:mma7455: Fix timestamp alignment and prevent
 data leak.
Date: Sun, 17 May 2020 18:29:53 +0100
Message-Id: <20200517173000.220819-5-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses a 16 byte u8 array on the stack   As Lars also noted
this anti pattern can involve a leak of data to userspace and that
indeed can happen here.  We close both issues by moving to
a suitable structure in the iio_priv() data with alignment
ensured by use of an explicit c structure.  This data is allocated
with kzalloc so no data can leak appart from previous readings.

Fixes: a84ef0d181d9 ("iio: accel: add Freescale MMA7455L/MMA7456L 3-axis accelerometer driver")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 drivers/iio/accel/mma7455_core.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/drivers/iio/accel/mma7455_core.c b/drivers/iio/accel/mma7455_core.c
index 8b5a6aff9bf4..b48caece170e 100644
--- a/drivers/iio/accel/mma7455_core.c
+++ b/drivers/iio/accel/mma7455_core.c
@@ -52,6 +52,14 @@
 
 struct mma7455_data {
 	struct regmap *regmap;
+	/*
+	 * Used to reorganize data.  Will ensure correct alignment of
+	 * the timestamp if present
+	 */
+	struct {
+		__le16 channels[3];
+		s64 ts;
+	} scan;
 };
 
 static int mma7455_drdy(struct mma7455_data *mma7455)
@@ -82,19 +90,19 @@ static irqreturn_t mma7455_trigger_handler(int irq, void *p)
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct mma7455_data *mma7455 = iio_priv(indio_dev);
-	u8 buf[16]; /* 3 x 16-bit channels + padding + ts */
 	int ret;
 
 	ret = mma7455_drdy(mma7455);
 	if (ret)
 		goto done;
 
-	ret = regmap_bulk_read(mma7455->regmap, MMA7455_REG_XOUTL, buf,
-			       sizeof(__le16) * 3);
+	ret = regmap_bulk_read(mma7455->regmap, MMA7455_REG_XOUTL,
+			       mma7455->scan.channels,
+			       sizeof(mma7455->scan.channels));
 	if (ret)
 		goto done;
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buf,
+	iio_push_to_buffers_with_timestamp(indio_dev, &mma7455->scan,
 					   iio_get_time_ns(indio_dev));
 
 done:

From patchwork Sun May 17 17:29:54 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554225
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8A9DA90
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:12 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 6BF4220810
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736732;
	bh=ncSOtpH0DdCs1lxPhvgnk159v8K/cbijvzKLrvrbtP4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=QuBH4LoExUbs2Tzu1U+SB6BD6Yfmp5mEP82TaGNIkLj4Kc8KXT5QvS66f5xgbLphk
	 Raz9o5MIX/pk6ox4wnYrPC9GfYghWvg0V+EFK99hHz+0tizx9KZMzqcfUUU4cyJK9B
	 zTpHiuNdxzmudj3gDLcePdIrOwS6mcL7nXzPVbnM=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726406AbgEQRcM (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:12 -0400
Received: from mail.kernel.org ([198.145.29.99]:51348 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcL (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:11 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 8480C20801;
        Sun, 17 May 2020 17:32:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736731;
        bh=ncSOtpH0DdCs1lxPhvgnk159v8K/cbijvzKLrvrbtP4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=bPMW/RC/RTtQgiUcxtoccCKKSZWClPmDPkf1N2FHWw32cTOPwpqhynnj/d6fygxuI
         TfxCdvSr/ZYm1TU+EsVBR/a6xrZwZ/EAtsSSh6I6W2PDrkWfANq7aNblw+4Jy22rUk
         t8oswAgb80qLrHUeWy/klkBrN2o0uMRKlCfs8f0Y=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>
Subject: [PATCH 05/11] iio:gyro:itg3200: Fix timestamp alignment and prevent
 data leak.
Date: Sun, 17 May 2020 18:29:54 +0100
Message-Id: <20200517173000.220819-6-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses a 16 byte array of smaller elements on the stack.
This is fixed by using an explicit c structure. As there are no
holes in the structure, there is no possiblity of data leakage
in this case.

Fixes: 36e0371e7764 ("iio:itg3200: Use iio_push_to_buffers_with_timestamp()")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 drivers/iio/gyro/itg3200_buffer.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/iio/gyro/itg3200_buffer.c b/drivers/iio/gyro/itg3200_buffer.c
index d3fbe9d86467..cd405801e61e 100644
--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -46,13 +46,20 @@ static irqreturn_t itg3200_trigger_handler(int irq, void *p)
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct itg3200 *st = iio_priv(indio_dev);
-	__be16 buf[ITG3200_SCAN_ELEMENTS + sizeof(s64)/sizeof(u16)];
-
-	int ret = itg3200_read_all_channels(st->i2c, buf);
+	/*
+	 * Ensure correct alignment and padding including for the
+	 * timestamp that may be inserted.
+	 */
+	struct {
+		__be16 buf[ITG3200_SCAN_ELEMENTS];
+		s64 ts;
+	} scan;
+
+	int ret = itg3200_read_all_channels(st->i2c, scan.buf);
 	if (ret < 0)
 		goto error_ret;
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buf, pf->timestamp);
+	iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp);
 
 	iio_trigger_notify_done(indio_dev->trig);
 

From patchwork Sun May 17 17:29:55 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554227
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DA1C1913
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:13 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id BC4EE2081A
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736733;
	bh=5poLK969/K/jZ96IVNmjTZOOLTQT4txEZjZv3qZDL2M=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=WtXaMJC6LsZzXjkjpXprn7IiDya+8VjheiYDPfar6k+yYzM/Nlx9U/aPh8pkoBatg
	 WPTKQQOTzGicV8DCW2wILwhJYmctdNzdnJ/XXsLTsVpRdV5czw4T3dom+aVyZcqvqP
	 b5ntI7iFr5/m9hJM9FiaDcK4gQiOWZSu7YS9J76o=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726407AbgEQRcN (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:13 -0400
Received: from mail.kernel.org ([198.145.29.99]:51370 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcN (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:13 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9EB6A20809;
        Sun, 17 May 2020 17:32:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736732;
        bh=5poLK969/K/jZ96IVNmjTZOOLTQT4txEZjZv3qZDL2M=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=IMqQtQf1/MA7nPKmPKRmRM3Dxnd2Ku3P7GgFthBoApYUgiUP7QugJGwVYoyunmQPM
         pvtQL8YlCFZghQuDjUzqvEGsN6rAeFTzINox/+ryK3G6jGAJetsEHjMY3e8BQ5vppn
         rlSiNbeSw9apZhGfhbThFxyMNccg2vVIyFffVBkI=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Andreas Klinger <ak@it-klinger.de>
Subject: [PATCH 06/11] iio:proximity:mb1232: Fix timestamp alignment and
 prevent data leak.
Date: Sun, 17 May 2020 18:29:55 +0100
Message-Id: <20200517173000.220819-7-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses a 16 byte s16 array on the stack   As Lars also noted
this anti pattern can involve a leak of data to userspace and that
indeed can happen here.  We close both issues by moving to
a suitable structure in the iio_priv() data with alignment
ensured by use of an explicit c structure.  This data is allocated
with kzalloc so no data can leak appart from previous readings.

Fixes: 16b05261537e ("mb1232.c: add distance iio sensor with i2c")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Andreas Klinger <ak@it-klinger.de>
---
 drivers/iio/proximity/mb1232.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/iio/proximity/mb1232.c b/drivers/iio/proximity/mb1232.c
index 166b3e6d7db8..5ec2d306f1c1 100644
--- a/drivers/iio/proximity/mb1232.c
+++ b/drivers/iio/proximity/mb1232.c
@@ -40,6 +40,11 @@ struct mb1232_data {
 	 */
 	struct completion	ranging;
 	int			irqnr;
+	/* Ensure correct alignment of data to push to IIO buffer */
+	struct {
+		s16 distance;
+		s64 ts;
+	} scan;
 };
 
 static irqreturn_t mb1232_handle_irq(int irq, void *dev_id)
@@ -113,17 +118,13 @@ static irqreturn_t mb1232_trigger_handler(int irq, void *p)
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct mb1232_data *data = iio_priv(indio_dev);
-	/*
-	 * triggered buffer
-	 * 16-bit channel + 48-bit padding + 64-bit timestamp
-	 */
-	s16 buffer[8] = { 0 };
 
-	buffer[0] = mb1232_read_distance(data);
-	if (buffer[0] < 0)
+	data->scan.distance = mb1232_read_distance(data);
+	if (data->scan.distance < 0)
 		goto err;
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp);
+	iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+					   pf->timestamp);
 
 err:
 	iio_trigger_notify_done(indio_dev->trig);

From patchwork Sun May 17 17:29:56 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554229
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 142F9913
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:15 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 004C62067D
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736735;
	bh=te4lt9SuagOI5X8R2hnGAgrUQqUKRttx/WZsbIr7q2o=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=Lx7clv2XvC0tV/BEYzfQJ0nIgmCyh0tGuK9s2tB9cn9Q9/6K0z9QjAeQYtNY39QcH
	 TBgswRv6nKeacvVlf9wyvxRx77cjJvtapjyF8te8kpjCMY2jL7wjvhgVHQjr4NLCZR
	 STkCm4psK/KVIfs/7M7l08WJy0RZy9bzeXNsMMI0=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726490AbgEQRcO (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:14 -0400
Received: from mail.kernel.org ([198.145.29.99]:51380 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcO (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:14 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E3F3220810;
        Sun, 17 May 2020 17:32:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736733;
        bh=te4lt9SuagOI5X8R2hnGAgrUQqUKRttx/WZsbIr7q2o=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=jZpz2DKY+vWx3YWAdw3rYcFc+gZAS7VHcR/Ditq5SiH/TfahJ8NyyGzdrQufjF74i
         +7LAQTMzPdQap2NPnNRic4zkY681wMzS0/tEF7Wff/9jalO0i03eKOm85EhFhSeOpP
         prvgD5hr7Vz8bAhtWjN99WavBheQnf7ibaS/x620=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        "Andrew F . Davis" <afd@ti.com>
Subject: [PATCH 07/11] iio:health:afe4403 Fix timestamp alignment and prevent
 data leak.
Date: Sun, 17 May 2020 18:29:56 +0100
Message-Id: <20200517173000.220819-8-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses a 32 byte array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here.  We close both issues by
moving to a suitable structure in the iio_priv() data with alignment
explicitly requested.  This data is allocated with kzalloc so no
data can leak appart from previous readings.

Fixes: eec96d1e2d31 ("iio: health: Add driver for the TI AFE4403 heart monitor")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Andrew F. Davis <afd@ti.com>
Acked-by: Andrew F. Davis <afd@ti.com>
---
 drivers/iio/health/afe4403.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c
index e9f87e42ff4f..a3507624b30f 100644
--- a/drivers/iio/health/afe4403.c
+++ b/drivers/iio/health/afe4403.c
@@ -65,6 +65,7 @@ static const struct reg_field afe4403_reg_fields[] = {
  * @regulator: Pointer to the regulator for the IC
  * @trig: IIO trigger for this device
  * @irq: ADC_RDY line interrupt number
+ * @buffer: Used to construct data layout to push into IIO buffer.
  */
 struct afe4403_data {
 	struct device *dev;
@@ -74,6 +75,8 @@ struct afe4403_data {
 	struct regulator *regulator;
 	struct iio_trigger *trig;
 	int irq;
+	/* Ensure suitable alignment for timestamp */
+	s32 buffer[8] __aligned(8);
 };
 
 enum afe4403_chan_id {
@@ -309,7 +312,6 @@ static irqreturn_t afe4403_trigger_handler(int irq, void *private)
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct afe4403_data *afe = iio_priv(indio_dev);
 	int ret, bit, i = 0;
-	s32 buffer[8];
 	u8 tx[4] = {AFE440X_CONTROL0, 0x0, 0x0, AFE440X_CONTROL0_READ};
 	u8 rx[3];
 
@@ -326,7 +328,7 @@ static irqreturn_t afe4403_trigger_handler(int irq, void *private)
 		if (ret)
 			goto err;
 
-		buffer[i++] = get_unaligned_be24(&rx[0]);
+		afe->buffer[i++] = get_unaligned_be24(&rx[0]);
 	}
 
 	/* Disable reading from the device */
@@ -335,7 +337,8 @@ static irqreturn_t afe4403_trigger_handler(int irq, void *private)
 	if (ret)
 		goto err;
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp);
+	iio_push_to_buffers_with_timestamp(indio_dev, afe->buffer,
+					   pf->timestamp);
 err:
 	iio_trigger_notify_done(indio_dev->trig);
 

From patchwork Sun May 17 17:29:57 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554231
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 510EE90
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:16 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 3DDB020823
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736736;
	bh=/0GvY/0b4q9Y+cINXq9Ay88qg0135Fkn4WcgkpasOcU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=yHcm/tjgxAtMWvZgRYyLLfoW6DCBDmkX6bVHL8tqS5obqbZYhE7d3d0sQt9dS1sOe
	 FO8sTUeFTjpcsfb91LIXdDkP3Ubr+8qGssl4e2erXZ/JhxKTwsDxMxl07D1Gdrk9Eh
	 RjUEpWy9f/eZk2wsm8EIEtuGKo5JXrWjfdhYaPMI=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726492AbgEQRcP (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:15 -0400
Received: from mail.kernel.org ([198.145.29.99]:51390 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcP (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:15 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 3586C2081A;
        Sun, 17 May 2020 17:32:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736735;
        bh=/0GvY/0b4q9Y+cINXq9Ay88qg0135Fkn4WcgkpasOcU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=gYIXmQDrH30Ode9btGWhxAMfDBTmeKbYaj0PVMCXNl497uVhP0qxK8hEMEyvEOsPA
         Swa3q4SI+EIHIGfrdbiFh9Vn1Q7aZoiPpXE7S7oGEqMp5Gjwmon+Ad6LhZuBiCOe85
         wA6R6DhOkocddpYloAo+cOrFZIkxmfWOnWYFHwg0=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        "Andrew F . Davis" <afd@ti.com>
Subject: [PATCH 08/11] iio:health:afe4404 Fix timestamp alignment and prevent
 data leak.
Date: Sun, 17 May 2020 18:29:57 +0100
Message-Id: <20200517173000.220819-9-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses a 40 byte array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here.  We close both issues by
moving to a suitable structure in the iio_priv() data with alignment
explicitly requested.  This data is allocated with kzalloc so no
data can leak appart from previous readings.

Fixes: 87aec56e27ef ("iio: health: Add driver for the TI AFE4404 heart monitor")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Andrew F. Davis <afd@ti.com>
---
 drivers/iio/health/afe4404.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c
index e728bbb21ca8..cebb1fd4d0b1 100644
--- a/drivers/iio/health/afe4404.c
+++ b/drivers/iio/health/afe4404.c
@@ -83,6 +83,7 @@ static const struct reg_field afe4404_reg_fields[] = {
  * @regulator: Pointer to the regulator for the IC
  * @trig: IIO trigger for this device
  * @irq: ADC_RDY line interrupt number
+ * @buffer: Used to construct a scan to push to the iio buffer.
  */
 struct afe4404_data {
 	struct device *dev;
@@ -91,6 +92,7 @@ struct afe4404_data {
 	struct regulator *regulator;
 	struct iio_trigger *trig;
 	int irq;
+	s32 buffer[10] __aligned(8);
 };
 
 enum afe4404_chan_id {
@@ -328,17 +330,17 @@ static irqreturn_t afe4404_trigger_handler(int irq, void *private)
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct afe4404_data *afe = iio_priv(indio_dev);
 	int ret, bit, i = 0;
-	s32 buffer[10];
 
 	for_each_set_bit(bit, indio_dev->active_scan_mask,
 			 indio_dev->masklength) {
 		ret = regmap_read(afe->regmap, afe4404_channel_values[bit],
-				  &buffer[i++]);
+				  &afe->buffer[i++]);
 		if (ret)
 			goto err;
 	}
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp);
+	iio_push_to_buffers_with_timestamp(indio_dev, afe->buffer,
+					   pf->timestamp);
 err:
 	iio_trigger_notify_done(indio_dev->trig);
 

From patchwork Sun May 17 17:29:58 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554233
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6BA5B90
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:17 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 4EDC020823
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736737;
	bh=TovbVIMMBZOWAy33vNnHTfbzaqf11HmlYgiNALVSgzU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=B1D1WIrA/BHL4YXH+03oLM//wxIHpBOYOwXSypQ0SmGycba6w6bt3fIwEL89Jrbts
	 h9Jh1MjFqF8S4tqU4uC7cQ7LxBubvc6knJZIvlXjLMoJpp4HA6v3VmQwQq8q3/b8Zs
	 mm0mfVse5JY/ezZ6zjGHXpEifyR34kTu+UQJv2LA=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726494AbgEQRcR (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:17 -0400
Received: from mail.kernel.org ([198.145.29.99]:51404 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcQ (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:16 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 80CC62067D;
        Sun, 17 May 2020 17:32:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736736;
        bh=TovbVIMMBZOWAy33vNnHTfbzaqf11HmlYgiNALVSgzU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=PdQdBxq2h7XCB+IrI9QhWk3kyjuHvMaqVcNkcq6TlD1LpBv5eQR/JusONobLL6Wun
         QruYsH8GQDvbr5BWh0Hsbjb7vK1doVw37haIWzYe/HinoZEBv0/3qr7G0o/9j9Ts9J
         twXC6XocGBV72mHURq/OXBWAxlm/ffNOqY4FQA3c=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Narcisa Ana Maria Vasile <narcisaanamaria12@gmail.com>
Subject: [PATCH 09/11] iio:chemical:ccs811: Fix timestamp alignment and
 prevent data leak.
Date: Sun, 17 May 2020 18:29:58 +0100
Message-Id: <20200517173000.220819-10-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here.  We close both issues by
moving to a suitable structure in the iio_priv() data with alignment
explicitly requested.  This data is allocated with kzalloc so no
data can leak appart from previous readings.

Fixes: 283d26917ad6 ("iio: chemical: ccs811: Add triggered buffer support")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Narcisa Ana Maria Vasile <narcisaanamaria12@gmail.com>
---
 drivers/iio/chemical/ccs811.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/iio/chemical/ccs811.c b/drivers/iio/chemical/ccs811.c
index 3ecd633f9ed3..fe1901be320d 100644
--- a/drivers/iio/chemical/ccs811.c
+++ b/drivers/iio/chemical/ccs811.c
@@ -78,6 +78,11 @@ struct ccs811_data {
 	struct iio_trigger *drdy_trig;
 	struct gpio_desc *wakeup_gpio;
 	bool drdy_trig_on;
+	/* Ensures correct alignment of timestamp if present */
+	struct {
+		s16 channels[2];
+		s64 ts;
+	} scan;
 };
 
 static const struct iio_chan_spec ccs811_channels[] = {
@@ -327,17 +332,17 @@ static irqreturn_t ccs811_trigger_handler(int irq, void *p)
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct ccs811_data *data = iio_priv(indio_dev);
 	struct i2c_client *client = data->client;
-	s16 buf[8]; /* s16 eCO2 + s16 TVOC + padding + 8 byte timestamp */
 	int ret;
 
-	ret = i2c_smbus_read_i2c_block_data(client, CCS811_ALG_RESULT_DATA, 4,
-					    (u8 *)&buf);
+	ret = i2c_smbus_read_i2c_block_data(client, CCS811_ALG_RESULT_DATA,
+					    sizeof(data->scan.channels),
+					    (u8 *)data->scan.channels);
 	if (ret != 4) {
 		dev_err(&client->dev, "cannot read sensor data\n");
 		goto err;
 	}
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buf,
+	iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
 					   iio_get_time_ns(indio_dev));
 
 err:

From patchwork Sun May 17 17:29:59 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554235
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 93395913
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:18 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 75D8120823
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736738;
	bh=YJFUKYZvTx3XnGzjToVULy1ag16cNtrvTy9ymAft06s=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=SUFW0Nx3mgxNncjVRmMtnv4p3GHOdtkUPXS6ElEiUzMVqQk3DUOD9CN7lZQSp5CBV
	 H5j2VBvbwCxwC9qwW4oWrfyuqq9bp1aqiA7Jw1WjhJart7uAEGw2PYT31K6NEah3Q9
	 biNdsAqx8jIdda3NyTWj+lACs0voFoEjR9IT4zWs=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726497AbgEQRcS (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:18 -0400
Received: from mail.kernel.org ([198.145.29.99]:51418 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcR (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:17 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C1951207DA;
        Sun, 17 May 2020 17:32:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736737;
        bh=YJFUKYZvTx3XnGzjToVULy1ag16cNtrvTy9ymAft06s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=e+/1YfWej+xkl4QZJKMMUQeKB8xL4Qo6Ub1rpRGiG6OosQptuN+ORkWxE7a+Hfuzm
         uSH5c74C9t1VB15B8HJ5G0eYfycYs5OrqgTikscqDT5Wp+ZmIG6Pc98WlsLAMGIb02
         lyH1l0iyQSjzS+nv1F8TiQmpbuWKsUq/3VzbWu4s=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Tomasz Duszynski <tduszyns@gmail.com>
Subject: [PATCH 10/11] iio:chemical:sps30: Fix timestamp alignment
Date: Sun, 17 May 2020 18:29:59 +0100
Message-Id: <20200517173000.220819-11-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses an array of smaller elements on the stack.

Fixes: 232e0f6ddeae ("iio: chemical: add support for Sensirion SPS30 sensor")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Tomasz Duszynski <tduszyns@gmail.com>
Acked-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
---
 drivers/iio/chemical/sps30.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/chemical/sps30.c b/drivers/iio/chemical/sps30.c
index acb9f8ecbb3d..a88c1fb875a0 100644
--- a/drivers/iio/chemical/sps30.c
+++ b/drivers/iio/chemical/sps30.c
@@ -230,15 +230,18 @@ static irqreturn_t sps30_trigger_handler(int irq, void *p)
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct sps30_state *state = iio_priv(indio_dev);
 	int ret;
-	s32 data[4 + 2]; /* PM1, PM2P5, PM4, PM10, timestamp */
+	struct {
+		s32 data[4]; /* PM1, PM2P5, PM4, PM10 */
+		s64 ts;
+	} scan;
 
 	mutex_lock(&state->lock);
-	ret = sps30_do_meas(state, data, 4);
+	ret = sps30_do_meas(state, scan.data, ARRAY_SIZE(scan.data));
 	mutex_unlock(&state->lock);
 	if (ret)
 		goto err;
 
-	iio_push_to_buffers_with_timestamp(indio_dev, data,
+	iio_push_to_buffers_with_timestamp(indio_dev, &scan,
 					   iio_get_time_ns(indio_dev));
 err:
 	iio_trigger_notify_done(indio_dev->trig);

From patchwork Sun May 17 17:30:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jonathan Cameron <jic23@kernel.org>
X-Patchwork-Id: 11554237
Return-Path: <SRS0=lwR9=67=vger.kernel.org=linux-iio-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 57008913
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 4357C20823
	for <patchwork-linux-iio@patchwork.kernel.org>;
 Sun, 17 May 2020 17:32:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1589736740;
	bh=NzTBl/bJg5h3z1qCsdIQVLo011sLKZ3l2oo05UCWTMo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
	b=kBTC0oBIFJqeeyGahIKAEaeLZWiFqsf+6Wy2ehPTVH9yinU7L0+imq4H3ijBz8+Ot
	 9HxLR5wDezvOjM3Xuy0TE0iVKkTD+5U1sWvhf0Vvvr3wNA0/FBgq8brY9dOslZOdza
	 w7Plu/9E1uAO40Dz976ZxZnfiA9Ohe5u7G9rABYo=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726528AbgEQRcU (ORCPT
        <rfc822;patchwork-linux-iio@patchwork.kernel.org>);
        Sun, 17 May 2020 13:32:20 -0400
Received: from mail.kernel.org ([198.145.29.99]:51434 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726362AbgEQRcT (ORCPT <rfc822;linux-iio@vger.kernel.org>);
        Sun, 17 May 2020 13:32:19 -0400
Received: from localhost.localdomain
 (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 0C272207ED;
        Sun, 17 May 2020 17:32:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1589736738;
        bh=NzTBl/bJg5h3z1qCsdIQVLo011sLKZ3l2oo05UCWTMo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=YRwt8MM/yPrcoeKmoS7Xi+JGcI0D9SmidpguUnK4PSH7xeFWlUqm4mNwcgz/TS099
         LNeWEoO7yHSWNWjhVzzvJhdpDzh9ddxXEQ8zJGEiBXQPY1OnAA9lET0+FKYgf/HfBl
         XrdPn3UvMdH41fGNL7TbUoWeqFitr9mD96QdkNBo=
From: jic23@kernel.org
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Tomasz Duszynski <tduszyns@gmail.com>
Subject: [PATCH 11/11] iio:chemical:pms7003: Fix timestamp alignment and
 prevent data leak.
Date: Sun, 17 May 2020 18:30:00 +0100
Message-Id: <20200517173000.220819-12-jic23@kernel.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200517173000.220819-1-jic23@kernel.org>
References: <20200517173000.220819-1-jic23@kernel.org>
MIME-Version: 1.0
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here.  We close both issues by
moving to a suitable structure in the iio_priv() data with alignment
explicitly requested.  This data is allocated with kzalloc so no
data can leak appart from previous readings.

Fixes: a1d642266c14 ("iio: chemical: add support for Plantower PMS7003 sensor")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Tomasz Duszynski <tduszyns@gmail.com>
Acked-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
---
 drivers/iio/chemical/pms7003.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/iio/chemical/pms7003.c b/drivers/iio/chemical/pms7003.c
index 23c9ab252470..07bb90d72434 100644
--- a/drivers/iio/chemical/pms7003.c
+++ b/drivers/iio/chemical/pms7003.c
@@ -73,6 +73,11 @@ struct pms7003_state {
 	struct pms7003_frame frame;
 	struct completion frame_ready;
 	struct mutex lock; /* must be held whenever state gets touched */
+	/* Used to construct scan to push to the IIO buffer */
+	struct {
+		u16 data[3]; /* PM1, PM2P5, PM10 */
+		s64 ts;
+	} scan;
 };
 
 static int pms7003_do_cmd(struct pms7003_state *state, enum pms7003_cmd cmd)
@@ -104,7 +109,6 @@ static irqreturn_t pms7003_trigger_handler(int irq, void *p)
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct pms7003_state *state = iio_priv(indio_dev);
 	struct pms7003_frame *frame = &state->frame;
-	u16 data[3 + 1 + 4]; /* PM1, PM2P5, PM10, padding, timestamp */
 	int ret;
 
 	mutex_lock(&state->lock);
@@ -114,12 +118,15 @@ static irqreturn_t pms7003_trigger_handler(int irq, void *p)
 		goto err;
 	}
 
-	data[PM1] = pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
-	data[PM2P5] = pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
-	data[PM10] = pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
+	state->scan.data[PM1] =
+		pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
+	state->scan.data[PM2P5] =
+		pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
+	state->scan.data[PM10] =
+		pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
 	mutex_unlock(&state->lock);
 
-	iio_push_to_buffers_with_timestamp(indio_dev, data,
+	iio_push_to_buffers_with_timestamp(indio_dev, &state->scan,
 					   iio_get_time_ns(indio_dev));
 err:
 	iio_trigger_notify_done(indio_dev->trig);