Re: [PATCH 1/3] iio: pressure: bmp280: fix stack leak in bmp580 trigger handler

Next message: Steffen Eiden: "Re: [PATCH 2/3] KVM, vfio: remove symbol_get(kvm_get_kvm_safe) from vfio"
Previous message: Jacob Moroni: "[PATCH 2/2] PCI/P2PDMA: Add Google SoCs to the P2P DMA host bridge list"
In reply to: David Lechner: "Re: [PATCH 3/3] iio: imu: adis16550: fix stack leak in trigger handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Lechner

Date: Thu Apr 09 2026 - 11:02:11 EST

On 4/9/26 8:40 AM, Greg Kroah-Hartman wrote:
> bmp580_trigger_handler() declares its scan buffer on the stack without
> an initializer and then memcpy()s 3 bytes of 24-bit sensor data into
> each 4-byte __le32 field. The high byte of comp_temp and comp_press is
> left uninitialized, and the channel storagebits is 32, so two bytes of
> stack are pushed to userspace per scan.
>
> This is a regression from when the buffer lived in the private data, the
> move to a stack-local struct dropped the implicit zeroing.
> bme280_trigger_handler() was fixed up to handle this bug, but this
> driver was not fixed because there was no padding hole, but rather a
> short-fill issue.
>
> Fix this all by just zero-initializing the structure on the stack.
>

Reviewed-by: David Lechner <dlechner@xxxxxxxxxxxx>