* [PATCH] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer
@ 2026-05-05 17:34 David Carlier
2026-05-06 9:14 ` Andy Shevchenko
0 siblings, 1 reply; 2+ messages in thread
From: David Carlier @ 2026-05-05 17:34 UTC (permalink / raw)
To: Jonathan Cameron
Cc: dlechner, nuno.sa, andy, linux-iio, linux-kernel, stable,
David Carlier
bmp580_trigger_handler() builds an on-stack scan buffer containing
two __le32 fields and an aligned_s64 timestamp, and pushes it to
userspace via iio_push_to_buffers_with_ts(). However, only the low
3 bytes of each __le32 field are populated by the device data:
memcpy(&buffer.comp_press, &data->buf[3], 3);
memcpy(&buffer.comp_temp, &data->buf[0], 3);
The high byte of each field is left uninitialised on the stack.
The bmp580 channels declare storagebits = 32, so the IIO core
transports all four bytes per sample to userspace as part of the
scan element, leaking two bytes of kernel stack per scan.
Zero-initialise the buffer before populating it, mirroring the fix
applied to bme280_trigger_handler() in commit 018f50909e66 ("iio:
bmp280: zero-init buffer").
Fixes: 872c8014e05e ("iio: pressure: bmp280: drop sensor_data array")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
drivers/iio/pressure/bmp280-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
index f37f20776c89..431476cff883 100644
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -2623,6 +2623,8 @@ static irqreturn_t bmp580_trigger_handler(int irq, void *p)
} buffer;
int ret;
+ memset(&buffer, 0, sizeof(buffer));
+
guard(mutex)(&data->lock);
/* Burst read data registers */
--
2.53.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer
2026-05-05 17:34 [PATCH] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer David Carlier
@ 2026-05-06 9:14 ` Andy Shevchenko
0 siblings, 0 replies; 2+ messages in thread
From: Andy Shevchenko @ 2026-05-06 9:14 UTC (permalink / raw)
To: David Carlier
Cc: Jonathan Cameron, dlechner, nuno.sa, andy, linux-iio,
linux-kernel, stable
On Tue, May 05, 2026 at 06:34:55PM +0100, David Carlier wrote:
> bmp580_trigger_handler() builds an on-stack scan buffer containing
> two __le32 fields and an aligned_s64 timestamp, and pushes it to
> userspace via iio_push_to_buffers_with_ts(). However, only the low
> 3 bytes of each __le32 field are populated by the device data:
>
> memcpy(&buffer.comp_press, &data->buf[3], 3);
> memcpy(&buffer.comp_temp, &data->buf[0], 3);
>
> The high byte of each field is left uninitialised on the stack.
> The bmp580 channels declare storagebits = 32, so the IIO core
> transports all four bytes per sample to userspace as part of the
> scan element, leaking two bytes of kernel stack per scan.
>
> Zero-initialise the buffer before populating it, mirroring the fix
> applied to bme280_trigger_handler() in commit 018f50909e66 ("iio:
> bmp280: zero-init buffer").
Same Q, is any part of the above, including the initial report/analysis
AI assisted? If so, you have to mentioned this in the respective
Reported-by:/Closes:/et cetera tags.
...
> } buffer;
} buffer = { };
will suffice.
> int ret;
>
> + memset(&buffer, 0, sizeof(buffer));
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-06 9:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-05 17:34 [PATCH] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer David Carlier
2026-05-06 9:14 ` Andy Shevchenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox