| Message ID | 20230314135734.2792944-1-harperchen1110@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1783330wrd;
Tue, 14 Mar 2023 07:13:51 -0700 (PDT)
X-Google-Smtp-Source:
AK7set+OaZqVNZvJ2wJQE+BgQ8KmmxCTB3OW4vvMKFC/oWhLfXG1E2D8nb6Fkw7dtup0q5gAjrZz
X-Received: by 2002:a17:90b:33d0:b0:234:28ac:ec4a with SMTP id
lk16-20020a17090b33d000b0023428acec4amr38558264pjb.2.1678803231449;
Tue, 14 Mar 2023 07:13:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1678803231; cv=none;
d=google.com; s=arc-20160816;
b=OKH2BUy0CkFMSNJbc/Clq+XgfvcG312Buu3l4WcnXRYbc3yKfkcbUck3CpZgzEymIF
ivZjFeHDZ0P2mG4pT9u3GYltJyIgC9+1eIV+GJEr5+xeIm0lPlfkWOFAgnFWRfq4rg/F
yTEaLKaA3ntAfZ1fzHPBGwHVvY/yBJHo5dMDHHM4VZAI60BP4fUsbhynzLdEUBTKeLYl
i4N/7NtQmRRNTqRkleyxNFMmZRVlhN4xpie6uo5mCwE2GVHtfOKv9xCjUhDQDpOXdTxi
I2DvwKJ74HRL6e+3MeomrY8Ew6KTD6u+4T5ZWsO/wqAl4r5WKJ4BtBGiPkxsxt4oZ9bY
2ywA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=HDBnljpxfT2quGn/YLnb1AUpqlWKLru8pfMKw5zC3kQ=;
b=jUykE+bJ1yUhUOXrUCTxkiedflaBzbeoxJBlXoe0ecrkSTD5OD6eIdAwZip6+J5P7s
VYgmtCDpZ7Zvp5PisFDtPQ4tbF5+e/G5ire/NMDw5q1jW+M+cnE6rTMEQ0CvABD/Xbr/
q2nJA5XEDN6BUbxdUHVYLtQjoO5YOox+DoyaajHJIurNxhLZn8gsz44P0LBHidXDz0J7
a/9/cm7WaSfa+H08cJNRu/eSjIcDuMmRGSltniIDrjPI+MTeaTKKWYq4X61I0Ze1fVIJ
HOPr4XHfrl8fW4LY2mm4D0jH+lYw/RfVvBLadHjmbQu9njjlpdjEhco0DqXKi9X/KzVK
pjvw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZQITKVee;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
y11-20020a17090aa40b00b00229f5cf70f9si2620569pjp.107.2023.03.14.07.13.34;
Tue, 14 Mar 2023 07:13:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZQITKVee;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232112AbjCNN6o (ORCPT <rfc822;realc9580@gmail.com> + 99 others);
Tue, 14 Mar 2023 09:58:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56454 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231834AbjCNN6X (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 14 Mar 2023 09:58:23 -0400
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com
[IPv6:2607:f8b0:4864:20::22f])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 226EC32E53;
Tue, 14 Mar 2023 06:57:45 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id bg11so11846267oib.5;
Tue, 14 Mar 2023 06:57:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112; t=1678802261;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=HDBnljpxfT2quGn/YLnb1AUpqlWKLru8pfMKw5zC3kQ=;
b=ZQITKVeevPj8lK6V/B/QQi27WX2vAFfKwIZRQED+Iu95UCxtMBvOpWzPhSfqiBdews
damBX5MAsrLA0W1ZqsiDv1tMzmQEV38sOS8Zh6RCGTo0rSJ7WWqi/oVePQBPUbHroi5j
pJq+2sjzjDyPI9hybUReIGxInzsWmLNd96wSs8CZkeFdwaJNQoU6Dv1tgW3IDQTSabGX
nsrBwRPHdZ5h5DPUKDU+jt5vdsVJUrHhCa1BM5rXkfsMISEtw5Xg9EwyZBHTRVUYj38U
7HX/jEJ9eLIrxMxeXeRyVfkMZGnsfcqigC9HIaLzXZkEs9PI13ZfgcY1XPFkfUoX1/FC
mKzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112; t=1678802261;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=HDBnljpxfT2quGn/YLnb1AUpqlWKLru8pfMKw5zC3kQ=;
b=p02lU3dYCi+2iORShNV5lj08zSyvq1ltS86gLBpV7/kD185HZmey5CpO5EqWtZ3/oG
Owsqlqeh7OWSQacBDFTP5puNlsiJwzmNILOc9kTeL14xL20mzQuhxOfokIlwPuLW+agD
EyfiCiTlXRifH5xbAdSOK3JmsqA45I2NpsA6uQw2GPO/PFCvCsBgfLeqztAdMbUp76H9
BQHlMB6yC+iFmxRs7/c9Ru1zXb9dHUnzgSUfFgF9kSmzBgzyamF79GGNtkX082/Vzf1B
cl38kTRm9W/rV5tA0kebpz9+s8+TLt6HB2z0yMpm2azHU4n2awyHE4D3fWevg67kDtRo
d5Zw==
X-Gm-Message-State: AO0yUKU0HWmhh9sS4qGpHGshG3JZywNvPWiCoU7GZcrmO8sNm3VW/dnv
SSCVXi36dmKGuji96YyOyOHC+YCWNul4Cw==
X-Received: by 2002:a05:6808:b2a:b0:360:cb13:e78a with SMTP id
t10-20020a0568080b2a00b00360cb13e78amr17272760oij.58.1678802261675;
Tue, 14 Mar 2023 06:57:41 -0700 (PDT)
Received: from chcpu13.cse.ust.hk (191host119.mobilenet.cse.ust.hk.
[143.89.191.119])
by smtp.gmail.com with ESMTPSA id
t26-20020a0568080b3a00b0037d7c3cfac7sm986481oij.15.2023.03.14.06.57.39
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 14 Mar 2023 06:57:40 -0700 (PDT)
From: Wei Chen <harperchen1110@gmail.com>
To: linux-i2c@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Wei Chen <harperchen1110@gmail.com>
Subject: [PATCH] i2c: xgene-slimpro: Fix out-of-bounds bug in
xgene_slimpro_i2c_xfer()
Date: Tue, 14 Mar 2023 13:57:34 +0000
Message-Id: <20230314135734.2792944-1-harperchen1110@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760352777363981453?=
X-GMAIL-MSGID: =?utf-8?q?1760352777363981453?=
|
| Series |
i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
|
|
Commit Message
Wei Chen
March 14, 2023, 1:57 p.m. UTC
The data->block[0] variable comes from user and is a number between
0-255. Without proper check, the variable may be very large to cause
an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
Fix this bug by checking the value of data->block[0].
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
---
drivers/i2c/busses/i2c-xgene-slimpro.c | 8 ++++++++
1 file changed, 8 insertions(+)
Comments
Hi Wei, On Tue, Mar 14, 2023 at 01:57:34PM +0000, Wei Chen wrote: > The data->block[0] variable comes from user and is a number between > 0-255. Without proper check, the variable may be very large to cause > an out-of-bounds when performing memcpy in slimpro_i2c_blkwr. > > Fix this bug by checking the value of data->block[0]. > > Signed-off-by: Wei Chen <harperchen1110@gmail.com> > --- > drivers/i2c/busses/i2c-xgene-slimpro.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c > index 63259b3ea5ab..bc9a3e7e0c96 100644 > --- a/drivers/i2c/busses/i2c-xgene-slimpro.c > +++ b/drivers/i2c/busses/i2c-xgene-slimpro.c > @@ -391,6 +391,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr, > &data->block[0]); > > } else { > + > + if (data->block[0] + 1 > I2C_SMBUS_BLOCK_MAX) > + return -EINVAL; > + > ret = slimpro_i2c_blkwr(ctx, addr, command, > SMBUS_CMD_LEN, > SLIMPRO_IIC_SMB_PROTOCOL, > @@ -408,6 +412,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr, > IIC_SMB_WITHOUT_DATA_LEN, > &data->block[1]); > } else { > + > + if (data->block[0] > I2C_SMBUS_BLOCK_MAX) > + return -EINVAL; > + you could eventually put this check inside slimpro_i2c_blkwr() so that you have it once and for all, for everyone. Andi > ret = slimpro_i2c_blkwr(ctx, addr, command, > SMBUS_CMD_LEN, > SLIMPRO_IIC_I2C_PROTOCOL, > -- > 2.25.1 >
The data->block[0] variable comes from user and is a number between
0-255. Without a proper check, the variable may be very large to cause
an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
Fix this bug by checking the value of writelen.
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
---
Changes in v2:
- Put length check inside slimpro_i2c_blkwr
drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c
b/drivers/i2c/busses/i2c-xgene-slimpro.c
index bc9a3e7e0c96..0f7263e2276a 100644
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
@@ -308,6 +308,9 @@ static int slimpro_i2c_blkwr(struct
slimpro_i2c_dev *ctx, u32 chip,
u32 msg[3];
int rc;
+ if (writelen > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
memcpy(ctx->dma_buffer, data, writelen);
paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,
DMA_TO_DEVICE);
Hi Wei, On Tue, Mar 14, 2023 at 11:43:41PM +0800, Wei Chen wrote: > The data->block[0] variable comes from user and is a number between > 0-255. Without a proper check, the variable may be very large to cause > an out-of-bounds when performing memcpy in slimpro_i2c_blkwr. > > Fix this bug by checking the value of writelen. > > Signed-off-by: Wei Chen <harperchen1110@gmail.com> I forgot to check earlier, can you also add: Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform") Cc: stable@vger.kernel.org > --- > Changes in v2: > - Put length check inside slimpro_i2c_blkwr > > drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c > b/drivers/i2c/busses/i2c-xgene-slimpro.c > index bc9a3e7e0c96..0f7263e2276a 100644 > --- a/drivers/i2c/busses/i2c-xgene-slimpro.c > +++ b/drivers/i2c/busses/i2c-xgene-slimpro.c > @@ -308,6 +308,9 @@ static int slimpro_i2c_blkwr(struct > slimpro_i2c_dev *ctx, u32 chip, > u32 msg[3]; > int rc; > + if (writelen > I2C_SMBUS_BLOCK_MAX) > + return -EINVAL; > + There is something odd looking here. Can you please fix the formatting and leave one blank line from the variable declaration and the 'if (...'. Remember, please, to run checkpatch.pl before sending the patch. Andi
diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c index 63259b3ea5ab..bc9a3e7e0c96 100644 --- a/drivers/i2c/busses/i2c-xgene-slimpro.c +++ b/drivers/i2c/busses/i2c-xgene-slimpro.c @@ -391,6 +391,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr, &data->block[0]); } else { + + if (data->block[0] + 1 > I2C_SMBUS_BLOCK_MAX) + return -EINVAL; + ret = slimpro_i2c_blkwr(ctx, addr, command, SMBUS_CMD_LEN, SLIMPRO_IIC_SMB_PROTOCOL, @@ -408,6 +412,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr, IIC_SMB_WITHOUT_DATA_LEN, &data->block[1]); } else { + + if (data->block[0] > I2C_SMBUS_BLOCK_MAX) + return -EINVAL; + ret = slimpro_i2c_blkwr(ctx, addr, command, SMBUS_CMD_LEN, SLIMPRO_IIC_I2C_PROTOCOL,