Message ID | 20210702130430.17020-2-asmaa@nvidia.com |
---|---|
State | New |
Headers | show |
Series | [SRU,F:linux-bluefield,v2,1/1] UBUNTU: SAUCE: i2c-mlxbf.c: prevent stack overflow in mlxbf_i2c_smbus_start_transaction() | expand |
On 02.07.21 15:04, Asmaa Mnebhi wrote: > BugLink: https://bugs.launchpad.net/bugs/1934304 > > There could be stack overflow in mlxbf_i2c_smbus_start_transaction(). > memcpy() is called in a loop while 'operation->length' upper bound is not checked and 'data_idx' also increments. > > Reviewed-by: Khalil Blaiech <kblaiech@nvidia.com> > Signed-off-by: Asmaa Mnebhi <asmaa@nvidia.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > > --- > drivers/i2c/busses/i2c-mlxbf.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/i2c/busses/i2c-mlxbf.c b/drivers/i2c/busses/i2c-mlxbf.c > index d3c7bc21e941..05c3025c9772 100644 > --- a/drivers/i2c/busses/i2c-mlxbf.c > +++ b/drivers/i2c/busses/i2c-mlxbf.c > @@ -770,6 +770,8 @@ static int mlx_smbus_start_transaction(struct mlx_i2c_priv *priv, > if (flags & I2C_F_WRITE) { > write_en = 1; > write_len += operation->length; > + if (data_idx + operation->length > MASTER_DATA_DESC_SIZE) > + return -ENOBUFS; > memcpy(data_desc + data_idx, > operation->buffer, operation->length); > data_idx += operation->length; >
On 02.07.21 15:04, Asmaa Mnebhi wrote: > BugLink: https://bugs.launchpad.net/bugs/1934304 > > There could be stack overflow in mlxbf_i2c_smbus_start_transaction(). > memcpy() is called in a loop while 'operation->length' upper bound is not checked and 'data_idx' also increments. > > Reviewed-by: Khalil Blaiech <kblaiech@nvidia.com> > Signed-off-by: Asmaa Mnebhi <asmaa@nvidia.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > > --- > drivers/i2c/busses/i2c-mlxbf.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/i2c/busses/i2c-mlxbf.c b/drivers/i2c/busses/i2c-mlxbf.c > index d3c7bc21e941..05c3025c9772 100644 > --- a/drivers/i2c/busses/i2c-mlxbf.c > +++ b/drivers/i2c/busses/i2c-mlxbf.c > @@ -770,6 +770,8 @@ static int mlx_smbus_start_transaction(struct mlx_i2c_priv *priv, > if (flags & I2C_F_WRITE) { > write_en = 1; > write_len += operation->length; > + if (data_idx + operation->length > MASTER_DATA_DESC_SIZE) > + return -ENOBUFS; > memcpy(data_desc + data_idx, > operation->buffer, operation->length); > data_idx += operation->length; >
diff --git a/drivers/i2c/busses/i2c-mlxbf.c b/drivers/i2c/busses/i2c-mlxbf.c index d3c7bc21e941..05c3025c9772 100644 --- a/drivers/i2c/busses/i2c-mlxbf.c +++ b/drivers/i2c/busses/i2c-mlxbf.c @@ -770,6 +770,8 @@ static int mlx_smbus_start_transaction(struct mlx_i2c_priv *priv, if (flags & I2C_F_WRITE) { write_en = 1; write_len += operation->length; + if (data_idx + operation->length > MASTER_DATA_DESC_SIZE) + return -ENOBUFS; memcpy(data_desc + data_idx, operation->buffer, operation->length); data_idx += operation->length;