Commit 9fd38a41 authored Jan 22, 2025 by Javier Carrasco Committed by Liao Chen Jan 22, 2025

iio: adc: ti-ads8688: fix information leak in triggered buffer

stable inclusion
from stable-v6.6.72
commit 455df95eb8f24a37abc549d6738fc8ee07eb623b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIQW3
CVE: CVE-2024-57906

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=455df95eb8f24a37abc549d6738fc8ee07eb623b



--------------------------------

commit 2a7377ccfd940cd6e9201756aff1e7852c266e69 upstream.

The 'buffer' local array is used to push data to user space from a
triggered buffer, but it does not set values for inactive channels, as
it only uses iio_for_each_active_channel() to assign new values.

Initialize the array to zero before using it to avoid pushing
uninitialized information to userspace.

Cc: stable@vger.kernel.org
Fixes: 61fa5dfa ("iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-8-0cb6e98d895c@gmail.com


Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Liao Chen <liaochen4@huawei.com>

parent cd78f9c5

drivers/iio/adc/ti-ads8688.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -382,7 +382,7 @@ static irqreturn_t ads8688_trigger_handler(int irq, void *p)
		struct iio_poll_func *pf = p;
		struct iio_dev *indio_dev = pf->indio_dev;
		/* Ensure naturally aligned timestamp */
		u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8);
		u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8) = { };
		int i, j = 0;

		for (i = 0; i < indio_dev->masklength; i++) {