All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@linaro.org>
To: David Lechner <dlechner@baylibre.com>
Cc: linux-iio@vger.kernel.org
Subject: [bug report] iio: pressure: bmp280: drop sensor_data array
Date: Tue, 6 May 2025 15:32:07 +0300	[thread overview]
Message-ID: <aBoBR5D1UMjsSUfZ@stanley.mountain> (raw)

Hello David Lechner,

Commit 4e6c3c4801a6 ("iio: pressure: bmp280: drop sensor_data array")
from Apr 22, 2025 (linux-next), leads to the following Smatch static
checker warning:

	drivers/iio/pressure/bmp280-core.c:1280 bme280_trigger_handler()
	warn: check that 'buffer' doesn't leak information (struct has a hole after 'comp_humidity')

drivers/iio/pressure/bmp280-core.c
    1225 static irqreturn_t bme280_trigger_handler(int irq, void *p)
    1226 {
    1227         struct iio_poll_func *pf = p;
    1228         struct iio_dev *indio_dev = pf->indio_dev;
    1229         struct bmp280_data *data = iio_priv(indio_dev);
    1230         u32 adc_temp, adc_press, adc_humidity;
    1231         s32 t_fine;
    1232         struct {
    1233                 u32 comp_press;
    1234                 s32 comp_temp;
    1235                 u32 comp_humidity;
    1236                 aligned_s64 timestamp;

There is a 4 byte hole between comp_humidity and timestamp.

    1237         } buffer;
    1238         int ret;
    1239 
    1240         guard(mutex)(&data->lock);
    1241 
    1242         /* Burst read data registers */
    1243         ret = regmap_bulk_read(data->regmap, BMP280_REG_PRESS_MSB,
    1244                                data->buf, BME280_BURST_READ_BYTES);
    1245         if (ret) {
    1246                 dev_err(data->dev, "failed to burst read sensor data\n");
    1247                 goto out;
    1248         }
    1249 
    1250         /* Temperature calculations */
    1251         adc_temp = FIELD_GET(BMP280_MEAS_TRIM_MASK, get_unaligned_be24(&data->buf[3]));
    1252         if (adc_temp == BMP280_TEMP_SKIPPED) {
    1253                 dev_err(data->dev, "reading temperature skipped\n");
    1254                 goto out;
    1255         }
    1256 
    1257         buffer.comp_temp = bmp280_compensate_temp(data, adc_temp);
    1258 
    1259         /* Pressure calculations */
    1260         adc_press = FIELD_GET(BMP280_MEAS_TRIM_MASK, get_unaligned_be24(&data->buf[0]));
    1261         if (adc_press == BMP280_PRESS_SKIPPED) {
    1262                 dev_err(data->dev, "reading pressure skipped\n");
    1263                 goto out;
    1264         }
    1265 
    1266         t_fine = bmp280_calc_t_fine(data, adc_temp);
    1267         buffer.comp_press = bmp280_compensate_press(data, adc_press, t_fine);
    1268 
    1269         /* Humidity calculations */
    1270         adc_humidity = get_unaligned_be16(&data->buf[6]);
    1271 
    1272         if (adc_humidity == BMP280_HUMIDITY_SKIPPED) {
    1273                 dev_err(data->dev, "reading humidity skipped\n");
    1274                 goto out;
    1275         }
    1276 
    1277         buffer.comp_humidity = bme280_compensate_humidity(data, adc_humidity,
    1278                                                           t_fine);
    1279 
--> 1280         iio_push_to_buffers_with_ts(indio_dev, &buffer, sizeof(buffer),
                                                        ^^^^^^^^^^^^^^^^^^^^^^^
So I believe it leads to an information leaks here.

    1281                                     iio_get_time_ns(indio_dev));
    1282 
    1283 out:
    1284         iio_trigger_notify_done(indio_dev->trig);
    1285 
    1286         return IRQ_HANDLED;
    1287 }

regards,
dan carpenter

             reply	other threads:[~2025-05-06 12:32 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-06 12:32 Dan Carpenter [this message]
2025-05-06 14:25 ` [bug report] iio: pressure: bmp280: drop sensor_data array David Lechner
2025-05-06 18:35   ` Dan Carpenter
2025-05-07  6:35     ` Jonathan Cameron
2025-05-07  7:41       ` Dan Carpenter
2025-05-07 13:33         ` David Lechner
2025-05-09  5:49           ` Dan Carpenter
2025-05-09 10:01             ` Dan Carpenter
2025-05-09 16:58             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aBoBR5D1UMjsSUfZ@stanley.mountain \
    --to=dan.carpenter@linaro.org \
    --cc=dlechner@baylibre.com \
    --cc=linux-iio@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.