diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-09 15:40:49 +0200 |
|---|---|---|
| committer | Jonathan Cameron <jic23@kernel.org> | 2026-05-15 12:01:38 +0100 |
| commit | 474f8928d50b09f7dcf507049f08732640b88b49 (patch) | |
| tree | 6aeb23ac84eb422b287e32dcd3b86a6c2aec4c6f /scripts/objdiff | |
| parent | c9d8e9adaa63150ef7e833480b799d0bab83a276 (diff) | |
iio: imu: adis16550: fix stack leak in trigger handler
adis16550_trigger_handler() declares the scan data array on the stack
without initializing it. The memcpy() at the bottom fills only the
first 28 bytes (TEMP + 6 channels of GYRO/ACCEL data), and
iio_push_to_buffers_with_timestamp() writes the s64 timestamp at the
8-byte-aligned offset 32. Bytes 28-31 remain uninitialized stack data
which leaks to userspace on ever trigger.
Fix this all by just zero-initializing the structure on the stack.
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Michael Hennerich <Michael.Hennerich@analog.com>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Fixes: e4570f4bb231 ("iio: imu: adis16550: align buffers for timestamp")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Diffstat (limited to 'scripts/objdiff')
0 files changed, 0 insertions, 0 deletions