On Mon, 27 Apr 2020 20:06:07 +0200
Lars-Peter Clausen <lars@xxxxxxxxxx> wrote:
> On 4/13/20 10:24 AM, Nuno Sá wrote:
> > [...]
> > +static irqreturn_t adis16475_trigger_handler(int irq, void *p)
> > +{
> > [...]
> > + __be16 data[ADIS16475_MAX_SCAN_DATA], *buffer;
> > [...]
> > +
> > + iio_push_to_buffers_with_timestamp(indio_dev, data, pf->timestamp);
>
> If the timestamp is enabled the IIO core might insert padding between
> the data channels and the timestamp. If that happens this will disclose
> kernel stack memory to userspace.
>
> This needs either a memset(data, 0x00, sizeof(data)) or maybe put data
> into the state struct and kzalloc it.
Good spot. Could simply do __be16 data[ADI..] = {0}; rather than explicit
memset, but some form of zeroization is needed.
I've fixed up the applied patch with the above approach.
Thanks,
Jonathan
>
> - Lars
>
