From e4618eaadb5a269a54ade46148365abfe16cd0eb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 6 Jan 2021 19:15:55 +0100 Subject: [PATCH] 4.4-stable patches added patches: iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch --- ...0-fix-alignment-and-data-leak-issues.patch | 75 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 76 insertions(+) create mode 100644 queue-4.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch diff --git a/queue-4.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch b/queue-4.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch new file mode 100644 index 00000000000..78eb789cf27 --- /dev/null +++ b/queue-4.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch @@ -0,0 +1,75 @@ +From foo@baz Wed Jan 6 07:12:53 PM CET 2021 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:37 +0100 +Subject: iio:magnetometer:mag3110: Fix alignment and data leak issues. + +From: Jonathan Cameron + +commit 89deb1334252ea4a8491d47654811e28b0790364 upstream + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data. +This data is allocated with kzalloc() so no data can leak apart from +previous readings. + +The explicit alignment of ts is not necessary in this case but +does make the code slightly less fragile so I have included it. + +Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-4-jic23@kernel.org +[sudip: adjust context] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/magnetometer/mag3110.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/iio/magnetometer/mag3110.c ++++ b/drivers/iio/magnetometer/mag3110.c +@@ -52,6 +52,12 @@ struct mag3110_data { + struct i2c_client *client; + struct mutex lock; + u8 ctrl_reg1; ++ /* Ensure natural alignment of timestamp */ ++ struct { ++ __be16 channels[3]; ++ u8 temperature; ++ s64 ts __aligned(8); ++ } scan; + }; + + static int mag3110_request(struct mag3110_data *data) +@@ -245,10 +251,9 @@ static irqreturn_t mag3110_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct mag3110_data *data = iio_priv(indio_dev); +- u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */ + int ret; + +- ret = mag3110_read(data, (__be16 *) buffer); ++ ret = mag3110_read(data, data->scan.channels); + if (ret < 0) + goto done; + +@@ -257,10 +262,10 @@ static irqreturn_t mag3110_trigger_handl + MAG3110_DIE_TEMP); + if (ret < 0) + goto done; +- buffer[6] = ret; ++ data->scan.temperature = ret; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns()); + + done: diff --git a/queue-4.4/series b/queue-4.4/series index f6ac9519632..88deca66e83 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -18,3 +18,4 @@ module-set-module_state_going-state-when-a-module-fa.patch quota-don-t-overflow-quota-file-offsets.patch powerpc-sysdev-add-missing-iounmap-on-error-in-mpic_.patch module-delay-kobject-uevent-until-after-module-init-.patch +iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch -- 2.47.3