Commit e35ba8b3 authored Jan 21, 2025 by Javier Carrasco Committed by Huang Xiaojia Jan 21, 2025

iio: light: vcnl4035: fix information leak in triggered buffer

stable inclusion
from stable-v6.6.72
commit a15ea87d4337479c9446b5d71616f4668337afed
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIQVN
CVE: CVE-2024-57910

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a15ea87d4337479c9446b5d71616f4668337afed



--------------------------------

commit 47b43e53c0a0edf5578d5d12f5fc71c019649279 upstream.

The 'buffer' local array is used to push data to userspace from a
triggered buffer, but it does not set an initial value for the single
data element, which is an u16 aligned to 8 bytes. That leaves at least
4 bytes uninitialized even after writing an integer value with
regmap_read().

Initialize the array to zero before using it to avoid pushing
uninitialized information to userspace.

Cc: stable@vger.kernel.org
Fixes: ec90b52c ("iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-6-0cb6e98d895c@gmail.com


Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Huang Xiaojia <huangxiaojia2@huawei.com>

parent 88ee450e

drivers/iio/light/vcnl4035.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -105,7 +105,7 @@ static irqreturn_t vcnl4035_trigger_consumer_handler(int irq, void *p)
		struct iio_dev *indio_dev = pf->indio_dev;
		struct vcnl4035_data *data = iio_priv(indio_dev);
		/* Ensure naturally aligned timestamp */
		u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8);
		u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8) = { };
		int ret;

		ret = regmap_read(data->regmap, VCNL4035_ALS_DATA, (int *)buffer);