Commit 191445c1 authored Feb 21, 2025 by Javier Carrasco Committed by Xia Fukun Feb 21, 2025

iio: imu: kmx61: fix information leak in triggered buffer

stable inclusion
from stable-v5.10.234
commit a386d9d2dc6635f2ec210b8199cfb3acf4d31305
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIQVT
CVE: CVE-2024-57908

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a386d9d2dc6635f2ec210b8199cfb3acf4d31305



--------------------------------

commit 6ae053113f6a226a2303caa4936a4c37f3bfff7b upstream.

The 'buffer' local array is used to push data to user space from a
triggered buffer, but it does not set values for inactive channels, as
it only uses iio_for_each_active_channel() to assign new values.

Initialize the array to zero before using it to avoid pushing
uninitialized information to userspace.

Cc: stable@vger.kernel.org
Fixes: c3a23ecc ("iio: imu: kmx61: Add support for data ready triggers")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-5-0cb6e98d895c@gmail.com


Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Xia Fukun <xiafukun@huawei.com>

parent 4d88bf76

drivers/iio/imu/kmx61.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1198,7 +1198,7 @@ static irqreturn_t kmx61_trigger_handler(int irq, void *p)
		struct kmx61_data *data = kmx61_get_data(indio_dev);
		int bit, ret, i = 0;
		u8 base;
		s16 buffer[8];
		s16 buffer[8] = { };

		if (indio_dev == data->acc_indio_dev)
		base = KMX61_ACC_XOUT_L;