On Wed, Jul 22, 2020 at 6:53 PM Jonathan Cameron <jic23@xxxxxxxxxx> wrote: > > From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx> > > One of a class of bugs pointed out by Lars in a recent review. > iio_push_to_buffers_with_timestamp assumes the buffer used is aligned > to the size of the timestamp (8 bytes). This is not guaranteed in > this driver which uses an array of smaller elements on the stack. > As Lars also noted this anti pattern can involve a leak of data to > userspace and that indeed can happen here. We close both issues by > moving to a suitable structure in the iio_priv() > > This data is allocated with kzalloc so no data can leak apart > from previous readings. > > A local unsigned int variable is used for the regmap call so it > is clear there is no potential issue with writing into the padding > of the structure. ... > + u8 chan; > + hw->scan.chan = val & 0xFF; 0xFF is not needed. -- With Best Regards, Andy Shevchenko
