On Wed, Jul 22, 2020 at 6:53 PM Jonathan Cameron <jic23@xxxxxxxxxx> wrote: > > From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx> > > One of a class of bugs pointed out by Lars in a recent review. > iio_push_to_buffers_with_timestamp assumes the buffer used is aligned > to the size of the timestamp (8 bytes). This is not guaranteed in > this driver which uses an array of smaller elements on the stack. > As Lars also noted this anti pattern can involve a leak of data to > userspace and that indeed can happen here. We close both issues by > moving to a suitable structure in the iio_priv() data. > This data is allocated with kzalloc so no data can leak apart from > previous readings. > > The explicit alignment of ts is not necessary in this case but > does make the code slightly less fragile so I have included it. > I broke my eyes and brain over temp. At first I thought it was temporary garbage like in the other patch, but now I'm guessing (looking into the comment) that this is temperature. Can we spell it fully? ... > + u8 temp; > - u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */ > + data->scan.temp = ret; -- With Best Regards, Andy Shevchenko
