Re: [PATCH] iio: gyro: itg3200: fix i2c read into the wrong stack location

Next message: Nathan Chancellor: "Prebuilt LLVM 22.1.5 uploaded"
Previous message: Christophe Leroy (CS GROUP): "Re: [PATCH V2] powerpc/text-patching: simplify the implementation of ppc_kallsyms_lookup_name()"
In reply to: David Carlier: "[PATCH] iio: gyro: itg3200: fix i2c read into the wrong stack location"
Next in thread: David CARLIER: "Re: [PATCH] iio: gyro: itg3200: fix i2c read into the wrong stack location"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Wed May 06 2026 - 02:40:10 EST

On Tue, May 05, 2026 at 02:37:48PM +0100, David Carlier wrote:
> itg3200_read_all_channels() takes `__be16 *buf' as a parameter and
> fills the i2c_msg destination as `(char *)&buf'. Since `buf' is the
> parameter (a pointer), `&buf' is the address of the local pointer
> slot on the stack of itg3200_read_all_channels(), not the address
> of the caller's scan buffer. The (char *) cast hides the type
> mismatch.
>
> i2c_transfer() therefore writes ITG3200_SCAN_ELEMENTS * sizeof(s16)
> = 8 bytes into the parameter's stack slot, which is discarded when
> the function returns. The caller's scan buffer in
> itg3200_trigger_handler() is never written to, so
> iio_push_to_buffers_with_timestamp() pushes uninitialised stack
> contents to userspace via /dev/iio:deviceX every scan -- both a
> functional bug (no actual gyroscope or temperature data is
> delivered through the triggered buffer) and an information leak.
>
> The non-buffered read_raw() path is unaffected: it goes through
> itg3200_read_reg_s16() which uses `&out' on a local s16 value,
> where that is correct.
>
> Drop the spurious `&' so the i2c read writes into the caller's
> buffer.

Very good catch! I'm puzzled if that code was ever tested. Do you have an HW
and that's how you enter to this bug?

Reviewed-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxx>

--
With Best Regards,
Andy Shevchenko