Re: [PATCH 1/3] iio: pressure: bmp280: fix stack leak in bmp580 trigger handler

Next message: Jakub Kicinski: "Re: [PATCH net 1/2] net/mlx5e: psp: Fix invalid access on PSP dev registration fail"
Previous message: Gary Guo: "[PATCH] rust: pin-init: fix incorrect accessor reference lifetime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Cameron

Date: Mon Apr 20 2026 - 14:31:29 EST

On Thu, 9 Apr 2026 10:01:43 -0500
David Lechner <dlechner@xxxxxxxxxxxx> wrote:

> On 4/9/26 8:40 AM, Greg Kroah-Hartman wrote:
> > bmp580_trigger_handler() declares its scan buffer on the stack without
> > an initializer and then memcpy()s 3 bytes of 24-bit sensor data into
> > each 4-byte __le32 field. The high byte of comp_temp and comp_press is
> > left uninitialized, and the channel storagebits is 32, so two bytes of
> > stack are pushed to userspace per scan.
> >
> > This is a regression from when the buffer lived in the private data, the
> > move to a stack-local struct dropped the implicit zeroing.
> > bme280_trigger_handler() was fixed up to handle this bug, but this
> > driver was not fixed because there was no padding hole, but rather a
> > short-fill issue.
> >
> > Fix this all by just zero-initializing the structure on the stack.
> >
>
> Reviewed-by: David Lechner <dlechner@xxxxxxxxxxxx>

Series applied to the fixes-togreg branch of iio.git.
I'll be rebase on rc1 once available before sending out a pull request
but in the meantime it can get some build coverage

Thanks,

Jonathan