Re: [PATCH] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer

Next message: Boris Brezillon: "Re: [PATCH 8/8] drm/panthor: Expose protected rendering features"
Previous message: Sarthak Sharma: "Re: [PATCH v3 23/54] selftests/mm: move HugeTLB helpers to hugepage_settings"
In reply to: David Carlier: "[PATCH] iio: pressure: bmp280: zero-init bmp580 trigger handler buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Wed May 06 2026 - 05:17:50 EST

On Tue, May 05, 2026 at 06:34:55PM +0100, David Carlier wrote:
> bmp580_trigger_handler() builds an on-stack scan buffer containing
> two __le32 fields and an aligned_s64 timestamp, and pushes it to
> userspace via iio_push_to_buffers_with_ts(). However, only the low
> 3 bytes of each __le32 field are populated by the device data:
>
> memcpy(&buffer.comp_press, &data->buf[3], 3);
> memcpy(&buffer.comp_temp, &data->buf[0], 3);
>
> The high byte of each field is left uninitialised on the stack.
> The bmp580 channels declare storagebits = 32, so the IIO core
> transports all four bytes per sample to userspace as part of the
> scan element, leaking two bytes of kernel stack per scan.
>
> Zero-initialise the buffer before populating it, mirroring the fix
> applied to bme280_trigger_handler() in commit 018f50909e66 ("iio:
> bmp280: zero-init buffer").

Same Q, is any part of the above, including the initial report/analysis
AI assisted? If so, you have to mentioned this in the respective
Reported-by:/Closes:/et cetera tags.

...

> } buffer;

} buffer = { };

will suffice.

> int ret;
>
> + memset(&buffer, 0, sizeof(buffer));

--
With Best Regards,
Andy Shevchenko