On Sun, 17 May 2020 21:06:55 +0200
Tomasz Duszynski <tomasz.duszynski@xxxxxxxxxxx> wrote:
> On Sun, May 17, 2020 at 06:30:00PM +0100, jic23@xxxxxxxxxx wrote:
> > From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
> >
> > One of a class of bugs pointed out by Lars in a recent review.
> > iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
> > to the size of the timestamp (8 bytes). This is not guaranteed in
> > this driver which uses an array of smaller elements on the stack.
> > As Lars also noted this anti pattern can involve a leak of data to
> > userspace and that indeed can happen here. We close both issues by
> > moving to a suitable structure in the iio_priv() data with alignment
> > explicitly requested. This data is allocated with kzalloc so no
> > data can leak appart from previous readings.
> >
> > Fixes: a1d642266c14 ("iio: chemical: add support for Plantower PMS7003 sensor")
> > Reported-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
> > Cc: Tomasz Duszynski <tduszyns@xxxxxxxxx>
> > ---
> > drivers/iio/chemical/pms7003.c | 17 ++++++++++++-----
> > 1 file changed, 12 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/iio/chemical/pms7003.c b/drivers/iio/chemical/pms7003.c
> > index 23c9ab252470..07bb90d72434 100644
> > --- a/drivers/iio/chemical/pms7003.c
> > +++ b/drivers/iio/chemical/pms7003.c
> > @@ -73,6 +73,11 @@ struct pms7003_state {
> > struct pms7003_frame frame;
> > struct completion frame_ready;
> > struct mutex lock; /* must be held whenever state gets touched */
> > + /* Used to construct scan to push to the IIO buffer */
> > + struct {
> > + u16 data[3]; /* PM1, PM2P5, PM10 */
> > + s64 ts;
> > + } scan;
> > };
> >
> > static int pms7003_do_cmd(struct pms7003_state *state, enum pms7003_cmd cmd)
> > @@ -104,7 +109,6 @@ static irqreturn_t pms7003_trigger_handler(int irq, void *p)
> > struct iio_dev *indio_dev = pf->indio_dev;
> > struct pms7003_state *state = iio_priv(indio_dev);
> > struct pms7003_frame *frame = &state->frame;
> > - u16 data[3 + 1 + 4]; /* PM1, PM2P5, PM10, padding, timestamp */
> > int ret;
> >
> > mutex_lock(&state->lock);
> > @@ -114,12 +118,15 @@ static irqreturn_t pms7003_trigger_handler(int irq, void *p)
> > goto err;
> > }
> >
> > - data[PM1] = pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
> > - data[PM2P5] = pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
> > - data[PM10] = pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
> > + state->scan.data[PM1] =
> > + pms7003_get_pm(frame->data + PMS7003_PM1_OFFSET);
> > + state->scan.data[PM2P5] =
> > + pms7003_get_pm(frame->data + PMS7003_PM2P5_OFFSET);
> > + state->scan.data[PM10] =
> > + pms7003_get_pm(frame->data + PMS7003_PM10_OFFSET);
> > mutex_unlock(&state->lock);
> >
> > - iio_push_to_buffers_with_timestamp(indio_dev, data,
> > + iio_push_to_buffers_with_timestamp(indio_dev, &state->scan,
> > iio_get_time_ns(indio_dev));
> > err:
> > iio_trigger_notify_done(indio_dev->trig);
> > --
> > 2.26.2
> >
>
> Thanks for the fix.
> Acked-by: Tomasz Duszynski <tomasz.duszynski@xxxxxxxxxxx>
>
Applied. Thanks,
