Linux IIO development
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@linaro.org>
To: David Lechner <dlechner@baylibre.com>
Cc: linux-iio@vger.kernel.org
Subject: [bug report] iio: pressure: bmp280: drop sensor_data array
Date: Tue, 6 May 2025 15:32:07 +0300	[thread overview]
Message-ID: <aBoBR5D1UMjsSUfZ@stanley.mountain> (raw)

Hello David Lechner,

Commit 4e6c3c4801a6 ("iio: pressure: bmp280: drop sensor_data array")
from Apr 22, 2025 (linux-next), leads to the following Smatch static
checker warning:

	drivers/iio/pressure/bmp280-core.c:1280 bme280_trigger_handler()
	warn: check that 'buffer' doesn't leak information (struct has a hole after 'comp_humidity')

drivers/iio/pressure/bmp280-core.c
    1225 static irqreturn_t bme280_trigger_handler(int irq, void *p)
    1226 {
    1227         struct iio_poll_func *pf = p;
    1228         struct iio_dev *indio_dev = pf->indio_dev;
    1229         struct bmp280_data *data = iio_priv(indio_dev);
    1230         u32 adc_temp, adc_press, adc_humidity;
    1231         s32 t_fine;
    1232         struct {
    1233                 u32 comp_press;
    1234                 s32 comp_temp;
    1235                 u32 comp_humidity;
    1236                 aligned_s64 timestamp;

There is a 4 byte hole between comp_humidity and timestamp.

    1237         } buffer;
    1238         int ret;
    1239 
    1240         guard(mutex)(&data->lock);
    1241 
    1242         /* Burst read data registers */
    1243         ret = regmap_bulk_read(data->regmap, BMP280_REG_PRESS_MSB,
    1244                                data->buf, BME280_BURST_READ_BYTES);
    1245         if (ret) {
    1246                 dev_err(data->dev, "failed to burst read sensor data\n");
    1247                 goto out;
    1248         }
    1249 
    1250         /* Temperature calculations */
    1251         adc_temp = FIELD_GET(BMP280_MEAS_TRIM_MASK, get_unaligned_be24(&data->buf[3]));
    1252         if (adc_temp == BMP280_TEMP_SKIPPED) {
    1253                 dev_err(data->dev, "reading temperature skipped\n");
    1254                 goto out;
    1255         }
    1256 
    1257         buffer.comp_temp = bmp280_compensate_temp(data, adc_temp);
    1258 
    1259         /* Pressure calculations */
    1260         adc_press = FIELD_GET(BMP280_MEAS_TRIM_MASK, get_unaligned_be24(&data->buf[0]));
    1261         if (adc_press == BMP280_PRESS_SKIPPED) {
    1262                 dev_err(data->dev, "reading pressure skipped\n");
    1263                 goto out;
    1264         }
    1265 
    1266         t_fine = bmp280_calc_t_fine(data, adc_temp);
    1267         buffer.comp_press = bmp280_compensate_press(data, adc_press, t_fine);
    1268 
    1269         /* Humidity calculations */
    1270         adc_humidity = get_unaligned_be16(&data->buf[6]);
    1271 
    1272         if (adc_humidity == BMP280_HUMIDITY_SKIPPED) {
    1273                 dev_err(data->dev, "reading humidity skipped\n");
    1274                 goto out;
    1275         }
    1276 
    1277         buffer.comp_humidity = bme280_compensate_humidity(data, adc_humidity,
    1278                                                           t_fine);
    1279 
--> 1280         iio_push_to_buffers_with_ts(indio_dev, &buffer, sizeof(buffer),
                                                        ^^^^^^^^^^^^^^^^^^^^^^^
So I believe it leads to an information leaks here.

    1281                                     iio_get_time_ns(indio_dev));
    1282 
    1283 out:
    1284         iio_trigger_notify_done(indio_dev->trig);
    1285 
    1286         return IRQ_HANDLED;
    1287 }

regards,
dan carpenter

             reply	other threads:[~2025-05-06 12:32 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-06 12:32 Dan Carpenter [this message]
2025-05-06 14:25 ` [bug report] iio: pressure: bmp280: drop sensor_data array David Lechner
2025-05-06 18:35   ` Dan Carpenter
2025-05-07  6:35     ` Jonathan Cameron
2025-05-07  7:41       ` Dan Carpenter
2025-05-07 13:33         ` David Lechner
2025-05-09  5:49           ` Dan Carpenter
2025-05-09 10:01             ` Dan Carpenter
2025-05-09 16:58             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aBoBR5D1UMjsSUfZ@stanley.mountain \
    --to=dan.carpenter@linaro.org \
    --cc=dlechner@baylibre.com \
    --cc=linux-iio@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox