Re: [PATCH 11/11] iio:chemical:pms7003: Fix timestamp alignment and prevent data leak.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, May 17, 2020 at 06:30:00PM +0100, jic23@xxxxxxxxxx wrote:
> From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
>
> One of a class of bugs pointed out by Lars in a recent review.
> iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
> to the size of the timestamp (8 bytes).  This is not guaranteed in
> this driver which uses an array of smaller elements on the stack.
> As Lars also noted this anti pattern can involve a leak of data to
> userspace and that indeed can happen here.  We close both issues by
> moving to a suitable structure in the iio_priv() data with alignment
> explicitly requested.  This data is allocated with kzalloc so no
> data can leak appart from previous readings.
>
> Fixes: a1d642266c14 ("iio: chemical: add support for Plantower PMS7003 sensor")
> Reported-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
> Cc: Tomasz Duszynski <tduszyns@xxxxxxxxx>
> ---
>  drivers/iio/chemical/pms7003.c | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iio/chemical/pms7003.c b/drivers/iio/chemical/pms7003.c
> index 23c9ab252470..07bb90d72434 100644
> --- a/drivers/iio/chemical/pms7003.c
> +++ b/drivers/iio/chemical/pms7003.c
> @@ -73,6 +73,11 @@ struct pms7003_state {
>  	struct pms7003_frame frame;
>  	struct completion frame_ready;
>  	struct mutex lock; /* must be held whenever state gets touched */
> +	/* Used to construct scan to push to the IIO buffer */
> +	struct {
> +		u16 data[3]; /* PM1, PM2P5, PM10 */
> +		s64 ts;
> +	} scan;
>  };
>
>  static int pms7003_do_cmd(struct pms7003_state *state, enum pms7003_cmd cmd)
> @@ -104,7 +109,6 @@ static irqreturn_t pms7003_trigger_handler(int irq, void *p)
>  	struct iio_dev *indio_dev = pf->indio_dev;
>  	struct pms7003_state *state = iio_priv(indio_dev);
>  	struct pms7003_frame *frame = &state->frame;
> -	u16 data[3 + 1 + 4]; /* PM1, PM2P5, PM10, padding, timestamp */
>  	int ret;
>
>  	mutex_lock(&state->lock);
> @@ -114,12 +118,15 @@ static irqreturn_t pms7003_trigger_handler(int irq, void *p)
>  		goto err;
>  	}
>
> -	data[PM1] = pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
> -	data[PM2P5] = pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
> -	data[PM10] = pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
> +	state->scan.data[PM1] =
> +		pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
> +	state->scan.data[PM2P5] =
> +		pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
> +	state->scan.data[PM10] =
> +		pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
>  	mutex_unlock(&state->lock);
>
> -	iio_push_to_buffers_with_timestamp(indio_dev, data,
> +	iio_push_to_buffers_with_timestamp(indio_dev, &state->scan,
>  					   iio_get_time_ns(indio_dev));
>  err:
>  	iio_trigger_notify_done(indio_dev->trig);
> --
> 2.26.2
>

Thanks for the fix.
Acked-by: Tomasz Duszynski <tomasz.duszynski@xxxxxxxxxxx>




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Input]     [Linux Kernel]     [Linux SCSI]     [X.org]

  Powered by Linux