From patchwork Mon Jul 20 15:35:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 237550 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2133069ilg; Mon, 20 Jul 2020 09:31:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwpMfKUSUneVe7T9ndwJR+2lwGt6yA+jr3VQT2Z3USG7yy8ohuMi60Qd84nJ7zjmZpUNjhH X-Received: by 2002:a17:906:1688:: with SMTP id s8mr21755530ejd.164.1595262717051; Mon, 20 Jul 2020 09:31:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595262717; cv=none; d=google.com; s=arc-20160816; b=zy3j9MzexOw6/LpqoB5o50tBaZ4EOLTanuFQnmnqxZD2PqzgogJS4QRgaTBGtqXMGe A6g0Vx0QKAPvuojSBkRW1HJgfLNUMaH2Hr99lB4SPoyAswFHP49gncHXUKXavWnzM95a nnTZ3diBikqpKeSoDiVbsobxIUR4ILd/I4lCl18aG4EQPGRSNDF0QVSncZa5pqdHKhuX dRWRNy1pbllBp41przEY5MB1S5EMmQkB2jwR+9LLNKKmtdbVtp00lwCD25M5KuS7gUNJ 0/orZdftpANNE+Il2dAEPRCXEpWd2N9csKFr6hy2T9O8DWpKoWdeRXZRnps8vcovnHPq Mv7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GUPYLs39yvW9dExfVoyDSN71ZYgfoawwxQIJUWhYVuQ=; b=h169J4JajhupX4J0c73ufcCUu3jSMP+lc5mPSFYmK0glGoggrP79jyIrttJsV6gHoh zs231a8G77R4z62loRg2WC3VfuHNN5+9t63b6Y72wbtYYc6L7nHCi7/50pZeHZ6mQEhn nGK2R3vONRtv2uqr1iORktMZbw/5BR++pKez227XGKdJUJ0Y1IVxtlHPFVxpCxV2AX15 JgEUTaGavOeplqUAjgye5xUDYiz/kodZKwE20y8MKQ3S9DVfM7D0dBqtRUy3qcgmh0Js bCsQvXZninqc599s9QsjvzxTu55+N1qPnJrfU64YeQFSPbYDlra54fmYUqevHZvKj41x wXcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Gw88Awx5; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a1si11610097edb.90.2020.07.20.09.31.56; Mon, 20 Jul 2020 09:31:57 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Gw88Awx5; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732334AbgGTQbH (ORCPT + 15 others); Mon, 20 Jul 2020 12:31:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:57466 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729978AbgGTP5d (ORCPT ); Mon, 20 Jul 2020 11:57:33 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A0D8E20773; Mon, 20 Jul 2020 15:57:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260652; bh=1CVY6Ixyfc3N1iXZi/C5GQOuWmGjDONCEAmLWXAlKvI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Gw88Awx5jr0H174cEFTYblMstGnsV1k6/I93kaaUSBkQ9LRfQC66IaizbYkB6wC9X n+PzflibWfx84koX/UaK9mPqII5FeES1oKdUfwCj6fBFaC8smi/KnYR/+i5xM4uTqm JMaR2XRcpSSLsraUbM9WD0KVDT26nEN5+3dARDmw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Linus Walleij , Jonathan Cameron , Stable@vger.kernel.org Subject: [PATCH 5.4 046/215] iio:magnetometer:ak8974: Fix alignment and data leak issues Date: Mon, 20 Jul 2020 17:35:28 +0200 Message-Id: <20200720152822.389114777@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152820.122442056@linuxfoundation.org> References: <20200720152820.122442056@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron commit 838e00b13bfd4cac8b24df25bfc58e2eb99bcc70 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 7c94a8b2ee8cf ("iio: magn: add a driver for AK8974") Reported-by: Lars-Peter Clausen Reviewed-by: Linus Walleij Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman --- drivers/iio/magnetometer/ak8974.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/iio/magnetometer/ak8974.c +++ b/drivers/iio/magnetometer/ak8974.c @@ -185,6 +185,11 @@ struct ak8974 { bool drdy_irq; struct completion drdy_complete; bool drdy_active_low; + /* Ensure timestamp is naturally aligned */ + struct { + __le16 channels[3]; + s64 ts __aligned(8); + } scan; }; static const char ak8974_reg_avdd[] = "avdd"; @@ -581,7 +586,6 @@ static void ak8974_fill_buffer(struct ii { struct ak8974 *ak8974 = iio_priv(indio_dev); int ret; - __le16 hw_values[8]; /* Three axes + 64bit padding */ pm_runtime_get_sync(&ak8974->i2c->dev); mutex_lock(&ak8974->lock); @@ -591,13 +595,13 @@ static void ak8974_fill_buffer(struct ii dev_err(&ak8974->i2c->dev, "error triggering measure\n"); goto out_unlock; } - ret = ak8974_getresult(ak8974, hw_values); + ret = ak8974_getresult(ak8974, ak8974->scan.channels); if (ret) { dev_err(&ak8974->i2c->dev, "error getting measures\n"); goto out_unlock; } - iio_push_to_buffers_with_timestamp(indio_dev, hw_values, + iio_push_to_buffers_with_timestamp(indio_dev, &ak8974->scan, iio_get_time_ns(indio_dev)); out_unlock: