From patchwork Fri Jul  2 13:04:30 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Asmaa Mnebhi <asmaa@nvidia.com>
X-Patchwork-Id: 1500095
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GGZzt3Zdkz9srZ;
	Fri,  2 Jul 2021 23:04:42 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lzIqU-0008E5-DW; Fri, 02 Jul 2021 13:04:38 +0000
Received: from mail-il-dmz.mellanox.com ([193.47.165.129] helo=mellanox.co.il)
 by huckleberry.canonical.com with esmtp (Exim 4.86_2)
 (envelope-from <asmaa@mellanox.com>) id 1lzIqS-0008Dt-L8
 for kernel-team@lists.ubuntu.com; Fri, 02 Jul 2021 13:04:36 +0000
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
 asmaa@mellanox.com) with SMTP; 2 Jul 2021 16:04:35 +0300
Received: from farm-0002.mtbu.labs.mlnx (farm-0002.mtbu.labs.mlnx
 [10.15.2.32])
 by mtbu-labmailer.labs.mlnx (8.14.4/8.14.4) with ESMTP id 162D4YU6018478;
 Fri, 2 Jul 2021 09:04:34 -0400
Received: (from asmaa@localhost)
 by farm-0002.mtbu.labs.mlnx (8.14.7/8.13.8/Submit) id 162D4Yb8017068;
 Fri, 2 Jul 2021 09:04:34 -0400
From: Asmaa Mnebhi <asmaa@nvidia.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F:linux-bluefield][PATCH v2 1/1] UBUNTU: SAUCE: i2c-mlxbf.c:
 prevent stack overflow in mlxbf_i2c_smbus_start_transaction()
Date: Fri,  2 Jul 2021 09:04:30 -0400
Message-Id: <20210702130430.17020-2-asmaa@nvidia.com>
X-Mailer: git-send-email 2.30.1
In-Reply-To: <20210702130430.17020-1-asmaa@nvidia.com>
References: <20210702130430.17020-1-asmaa@nvidia.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: meriton@nvidia.com, kblaiech@nvidia.com, asmaa@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1934304

There could be stack overflow in mlxbf_i2c_smbus_start_transaction().
memcpy() is called in a loop while 'operation->length' upper bound is not checked and 'data_idx' also increments.

Reviewed-by: Khalil Blaiech <kblaiech@nvidia.com>
Signed-off-by: Asmaa Mnebhi <asmaa@nvidia.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
---
 drivers/i2c/busses/i2c-mlxbf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/i2c/busses/i2c-mlxbf.c b/drivers/i2c/busses/i2c-mlxbf.c
index d3c7bc21e941..05c3025c9772 100644
--- a/drivers/i2c/busses/i2c-mlxbf.c
+++ b/drivers/i2c/busses/i2c-mlxbf.c
@@ -770,6 +770,8 @@ static int mlx_smbus_start_transaction(struct mlx_i2c_priv *priv,
 		if (flags & I2C_F_WRITE) {
 			write_en   = 1;
 			write_len += operation->length;
+			if (data_idx + operation->length > MASTER_DATA_DESC_SIZE)
+				return -ENOBUFS;
 			memcpy(data_desc + data_idx,
 			       operation->buffer, operation->length);
 			data_idx  += operation->length;