Re: [PATCH 2/3] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
From: David Lechner
Date: Thu Apr 09 2026 - 11:27:52 EST
On 4/9/26 8:40 AM, Greg Kroah-Hartman wrote:
> The tagged FIFO path declares iio_buff on the stack with __aligned(8)
> but no initializer, but there is a hole in the structure, which will
> then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
> copied, but the space between that and the timestamp are not
> initialized.
>
> Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
> issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
> but for the tagged path it only added the alignment qualifier and not
> the initializer :(
>
> Fix this by just zero-initializing the structure on the stack.
>
Reviewed-by: David Lechner <dlechner@xxxxxxxxxxxx>
>
> diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
> index 5b28a3ffcc3d..48291203d1cd 100644
> --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
> +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
> @@ -609,7 +609,7 @@ int st_lsm6dsx_read_tagged_fifo(struct st_lsm6dsx_hw *hw)
> * must be passed a buffer that is aligned to 8 bytes so
> * as to allow insertion of a naturally aligned timestamp.
> */
> - u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
> + u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
Looks like a case where we could follow this up with a patch to
use IIO_DECLARE_BUF_WITH_TS().
> u8 tag;
> bool reset_ts = false;
> int i, err, read_len;