On Sun, Jun 7, 2020 at 6:57 PM Jonathan Cameron <jic23@xxxxxxxxxx> wrote: > > From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx> > > One of a class of bugs pointed out by Lars in a recent review. > iio_push_to_buffers_with_timestamp assumes the buffer used is aligned > to the size of the timestamp (8 bytes). This is not guaranteed in > this driver which uses a 16 byte array of smaller elements on the stack. > As Lars also noted this anti pattern can involve a leak of data to > userspace and that indeed can happen here. We close both issues by moving > to a suitable structure in the iio_priv() data with alignment > ensured by use of an explicit c structure. This data is allocated > with kzalloc so no data can leak appart from previous readings. > > Fixes tag is beyond some major refactoring so likely manual backporting > would be needed to get that far back. > > Whilst the force alignment of the ts is not strictly necessary, it > does make the code less fragile. ... > + memcpy(&data->scan.channels[j++], &buffer[i * 3 + bit], > + 2); sizeof() ? -- With Best Regards, Andy Shevchenko
