Re: [PATCH 3/3] iio: imu: adis16550: fix stack leak in trigger handler

Next message: Conor Dooley: "Re: [PATCH v2 1/3] dt-bindings: arm: aspeed: add Anacapa EVT1 EVT2 board"
Previous message: Radu Sabau via B4 Relay: "[PATCH v7 2/6] iio: adc: ad4691: add initial driver for AD4691 family"
In reply to: Greg Kroah-Hartman: "[PATCH 3/3] iio: imu: adis16550: fix stack leak in trigger handler"
Next in thread: David Lechner: "Re: [PATCH 1/3] iio: pressure: bmp280: fix stack leak in bmp580 trigger handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Lechner

Date: Thu Apr 09 2026 - 11:37:40 EST

On 4/9/26 8:40 AM, Greg Kroah-Hartman wrote:
> adis16550_trigger_handler() declares the scan data array on the stack
> without initializing it. The memcpy() at the bottom fills only the
> first 28 bytes (TEMP + 6 channels of GYRO/ACCEL data), and
> iio_push_to_buffers_with_timestamp() writes the s64 timestamp at the
> 8-byte-aligned offset 32. Bytes 28-31 remain uninitialized stack data
> which leaks to userspace on ever trigger.
>
> Fix this all by just zero-initializing the structure on the stack.
>

Reviewed-by: David Lechner <dlechner@xxxxxxxxxxxx>

>
> diff --git a/drivers/iio/imu/adis16550.c b/drivers/iio/imu/adis16550.c
> index 1f2af506f4bd..75679612052f 100644
> --- a/drivers/iio/imu/adis16550.c
> +++ b/drivers/iio/imu/adis16550.c
> @@ -836,7 +836,7 @@ static irqreturn_t adis16550_trigger_handler(int irq, void *p)
> u16 dummy;
> bool valid;
> struct iio_poll_func *pf = p;
> - __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8);
> + __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8) = { };

And another case where a followup patch to use IIO_DECLARE_BUFFER_WITH_TS()
would be appropriate.

> struct iio_dev *indio_dev = pf->indio_dev;
> struct adis16550 *st = iio_priv(indio_dev);
> struct adis *adis = iio_device_get_drvdata(indio_dev);