Re: [PATCH] iio: magnetometer: ak8975: fix potential kernel stack memory leak

[Joshua Crofts]

On Thu, 14 May 2026 at 13:38, Joshua Crofts via B4 Relay
<devnull+joshua.crofts1.gmail.com@xxxxxxxxxx> wrote:
>
> From: Joshua Crofts <joshua.crofts1@xxxxxxxxx>
>
> Currently in the AK8975 driver there are two instances where potential
> uninitialized kernel stack memory leaks can occur. If
> i2c_smbus_read_i2c_block_data_or_emulated() returns a value less than
> the size of the buffer, uninitialized bytes are retained in the buffer
> and later the buffer is passed on to IIO buffers, potentially leaking
> memory to userspace.
>
> Fix this by adding checks whether the return value of the function is
> equal to the size of the buffer and subsequently if the value is
> lesser than zero to distinguish from a returned error code.
>
> Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support")
> Reported-by: Sashiko <sashiko-bot@xxxxxxxxxx>
> Closes: https://sashiko.dev/#/patchset/20260513-ak8975-fix-v1-1-104ea605dd54%40gmail.com
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Joshua Crofts <joshua.crofts1@xxxxxxxxx>
> ---
>  drivers/iio/magnetometer/ak8975.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
> index b648b0afa5733fd7a54bdf2b8f92f00e924c074b..9d23c8136291a52ca9ab928d81332aa32933fec6 100644
> --- a/drivers/iio/magnetometer/ak8975.c
> +++ b/drivers/iio/magnetometer/ak8975.c
> @@ -756,8 +756,11 @@ static int ak8975_read_axis(struct iio_dev *indio_dev, int index, int *val)
>         ret = i2c_smbus_read_i2c_block_data_or_emulated(
>                         client, def->data_regs[index],
>                         sizeof(rval), (u8*)&rval);
> -       if (ret < 0)
> +       if (ret != sizeof(rval)) {
> +               if (ret >= 0)
> +                       ret = -EIO;
>                 goto exit;
> +       }
>
>         /* Read out ST2 for release lock on measurement data. */
>         ret = i2c_smbus_read_byte_data(client, data->def->ctrl_regs[ST2]);
> @@ -871,8 +874,11 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev)
>                                                         def->data_regs[0],
>                                                         3 * sizeof(fval[0]),
>                                                         (u8 *)fval);
> -       if (ret < 0)
> +       if (ret != sizeof(fval)) {

Hmm, Sashiko pointed out that I am comparing a signed integer with
an unsigned integer, which would result in type promotion and subsequent
mangling of any potential negative values... will fix in v2.

https://sashiko.dev/#/patchset/20260514-magnetometer-kernel-mem-leak-v1-1-35b48d699faf%40gmail.com

-- 
Kind regards

CJD