diff mbox series

[v3,04/10] iio: at91-sama5d2_adc: Fix unsafe buffer attributes

Message ID be69775aa302159f088b8b91894e6ec449bca65b.1664782676.git.mazziesaccount@gmail.com (mailing list archive)
State New, archived
Headers show
Series iio: Fix unsafe buffer attributes | expand

Commit Message

Matti Vaittinen Oct. 3, 2022, 8:11 a.m. UTC
The iio_triggered_buffer_setup_ext() was changed by
commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
to silently expect that all attributes given in buffer_attrs array are
device-attributes. This expectation was not forced by the API - and some
drivers did register attributes created by IIO_CONST_ATTR().

The added attribute "wrapping" does not copy the pointer to stored
string constant and when the sysfs file is read the kernel will access
to invalid location.

Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order
to prevent the invalid memory access.

Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com>
Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")

---

v2 => v3:
Split change to own patch for simpler fix backporting.
---
 drivers/iio/adc/at91-sama5d2_adc.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

Comments

Claudiu Beznea Oct. 6, 2022, 8:34 a.m. UTC | #1
On 03.10.2022 11:11, Matti Vaittinen wrote:
> The iio_triggered_buffer_setup_ext() was changed by
> commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
> to silently expect that all attributes given in buffer_attrs array are
> device-attributes. This expectation was not forced by the API - and some
> drivers did register attributes created by IIO_CONST_ATTR().
> 
> The added attribute "wrapping" does not copy the pointer to stored
> string constant and when the sysfs file is read the kernel will access
> to invalid location.
> 
> Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order
> to prevent the invalid memory access.
> 
> Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com>
> Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")

Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com>

on SAMA5D2
Jonathan Cameron Oct. 16, 2022, 11:14 a.m. UTC | #2
On Thu, 6 Oct 2022 08:34:17 +0000
<Claudiu.Beznea@microchip.com> wrote:

> On 03.10.2022 11:11, Matti Vaittinen wrote:
> > The iio_triggered_buffer_setup_ext() was changed by
> > commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
> > to silently expect that all attributes given in buffer_attrs array are
> > device-attributes. This expectation was not forced by the API - and some
> > drivers did register attributes created by IIO_CONST_ATTR().
> > 
> > The added attribute "wrapping" does not copy the pointer to stored
> > string constant and when the sysfs file is read the kernel will access
> > to invalid location.
> > 
> > Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order
> > to prevent the invalid memory access.
> > 
> > Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com>
> > Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")  
> 
> Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com>
> 
> on SAMA5D2
> 
Applied to the fixes-togreg branch of iio.git and marked for stable.

For the reset of the series I'll need to wait for these first 4 patches to make their
way to upstream of the togreg branch then queue the rest up on top of that.

Jonathan

>
diff mbox series

Patch

diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
index 279430c1d88c..6e3f9fa93cee 100644
--- a/drivers/iio/adc/at91-sama5d2_adc.c
+++ b/drivers/iio/adc/at91-sama5d2_adc.c
@@ -1841,13 +1841,26 @@  static ssize_t at91_adc_get_watermark(struct device *dev,
 	return scnprintf(buf, PAGE_SIZE, "%d\n", st->dma_st.watermark);
 }
 
+static ssize_t hwfifo_watermark_min_show(struct device *dev,
+					 struct device_attribute *attr,
+					 char *buf)
+{
+	return sysfs_emit(buf, "%s\n", "2");
+}
+
+static ssize_t hwfifo_watermark_max_show(struct device *dev,
+					 struct device_attribute *attr,
+					 char *buf)
+{
+	return sysfs_emit(buf, "%s\n", AT91_HWFIFO_MAX_SIZE_STR);
+}
+
 static IIO_DEVICE_ATTR(hwfifo_enabled, 0444,
 		       at91_adc_get_fifo_state, NULL, 0);
 static IIO_DEVICE_ATTR(hwfifo_watermark, 0444,
 		       at91_adc_get_watermark, NULL, 0);
-
-static IIO_CONST_ATTR(hwfifo_watermark_min, "2");
-static IIO_CONST_ATTR(hwfifo_watermark_max, AT91_HWFIFO_MAX_SIZE_STR);
+static IIO_DEVICE_ATTR_RO(hwfifo_watermark_min, 0);
+static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0);
 
 static IIO_CONST_ATTR(oversampling_ratio_available,
 		      __stringify(AT91_OSR_1SAMPLES) " "
@@ -1864,8 +1877,8 @@  static const struct attribute_group at91_adc_attribute_group = {
 };
 
 static const struct attribute *at91_adc_fifo_attributes[] = {
-	&iio_const_attr_hwfifo_watermark_min.dev_attr.attr,
-	&iio_const_attr_hwfifo_watermark_max.dev_attr.attr,
+	&iio_dev_attr_hwfifo_watermark_min.dev_attr.attr,
+	&iio_dev_attr_hwfifo_watermark_max.dev_attr.attr,
 	&iio_dev_attr_hwfifo_watermark.dev_attr.attr,
 	&iio_dev_attr_hwfifo_enabled.dev_attr.attr,
 	NULL,