iio: magnetometer: ak8975: fix potential kernel stack memory leak

Currently in the AK8975 driver there are four instances where potential
uninitialized kernel stack memory leaks can occur. If
i2c_smbus_read_i2c_block_data_or_emulated() returns a value less than
the size of the buffer, uninitialized bytes are retained in the buffer
and later the buffer is passed on to IIO buffers, potentially leaking
memory to userspace.

Fix this by adding checks whether the return value of the function is
equal to the size of the buffer and subsequently if the value is
lesser than zero to distinguish from a returned error code.

Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260513-ak8975-fix-v1-1-104ea605dd54%40gmail.com
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>

diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
index 0fb2fd03d11ce195a67949056c000c473a8d3e99..bb74abb648f138352576a68c49d3c7dce7cc068e 100644 (file)
--- a/drivers/iio/magnetometer/ak8975.c
+++ b/drivers/iio/magnetometer/ak8975.c
@@ -499,6 +499,10 @@ static int ak8975_who_i_am(const struct ak8975_data *data,
                dev_err(&client->dev, "Error reading WIA\n");
                return ret;
        }
+       if (ret != sizeof(wia_val)) {
+               dev_err(&client->dev, "Error reading WIA\n");
+               return -EIO;
+       }
 
        if (wia_val[0] != AK8975_DEVICE_ID)
                return -ENODEV;
@@ -620,6 +624,10 @@ static int ak8975_setup(struct ak8975_data *data)
                dev_err(&client->dev, "Not able to read asa data\n");
                return ret;
        }
+       if (ret != sizeof(data->asa)) {
+               dev_err(&client->dev, "Error reading asa data\n");
+               return -EIO;
+       }
 
        /* After reading fuse ROM data set power-down mode */
        ret = ak8975_set_mode(data, POWER_DOWN);
@@ -755,6 +763,10 @@ static int ak8975_read_axis(struct iio_dev *indio_dev, int index, int *val)
                                                        (u8 *)&rval);
        if (ret < 0)
                goto exit;
+       if (ret != sizeof(rval)) {
+               ret = -EIO;
+               goto exit;
+       }
 
        /* Read out ST2 for release lock on measurement data. */
        ret = i2c_smbus_read_byte_data(client, data->def->ctrl_regs[ST2]);
@@ -871,6 +883,8 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev)
                                                        (u8 *)fval);
        if (ret < 0)
                goto unlock;
+       if (ret != sizeof(fval))
+               goto unlock;
 
        mutex_unlock(&data->lock);