From patchwork Sat May 5 12:57:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 909147 X-Patchwork-Delegate: wolfram@the-dreams.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-i2c-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=umn.edu Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=umn.edu header.i=@umn.edu header.b="ijADh7zf"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40dTS95QC4z9s2t for ; Sat, 5 May 2018 22:57:29 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751755AbeEEM51 (ORCPT ); Sat, 5 May 2018 08:57:27 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:58598 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751775AbeEEM50 (ORCPT ); Sat, 5 May 2018 08:57:26 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 5532CB62 for ; Sat, 5 May 2018 12:57:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKPuV8zEwNxU for ; Sat, 5 May 2018 07:57:25 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 30D4DAFF for ; Sat, 5 May 2018 07:57:25 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id m24-v6so2786303ioh.5 for ; Sat, 05 May 2018 05:57:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=h9TPqYBUMqYK6D817ddzSAkWJxaRC6xG7Fglj7IzYYg=; b=ijADh7zfZGzM8KfqI8KmrtgP26w999AiO+bzJYjDMRVjfRQKMMOraqxnO4rh6gyb1l yABOvzSZAF0a7fEtkuLfP6bTP++dzsnTveMKJhuJJT6/5WbwsXpoc1vyYN8paQGMHS2p zjBcv9VnOnTTEU08glJnLVvGWbinNYtOmAquw0WpDktbRjk21KFaYtIgyFBZPQCS5fwg 3CDQIWD02HbrDYpEOT8vX7AITzs5yTI09CKNzhzvYWrm47AJw8a9rG+4ktufHaFFVFDx jMFVS7Gelpo0f3ExN1kz4yUjQq8HJOi54h/8cWfZhICkTGqXdr3NMcA+lupM8h+E8OrV uEDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=h9TPqYBUMqYK6D817ddzSAkWJxaRC6xG7Fglj7IzYYg=; b=S+H2luXpMO/wLMu53fDQ5cFPJT7v3AsXbzcxAbx/fIEOmgsKUXCsjiMoCCnGOutVAr GA6uIzsqZRW6poePIBaa6M+4geDLOVcmDh5q+LTxvmkiJJduAKqSOsEWhq3vd+3a2vNd Y4eUq3Zxv+AMpimh+jZhSBVYUJFw2ttL5FDiixbPqrO9PzdP2R95dPD8ctl/e8ApUsHL zF1FAg1Gxe0VqYZbb0uOesLo4F6X8bYjxnx5jphURQ5cfE9iVDgQ7ogzAynkW3MkVcEq y0vFmm1bvElQliOSQ8Ipf1Ti2e5EcDemBhnIEdhuA9cjIHb0MrubrYnCIJ/gwzDv/pO2 iHYA== X-Gm-Message-State: ALQs6tDUfN9Yyi1yQpVTE70YHS4Hq/5f9+eLyrAW/64A1PpUwNrin1yI 8Kypr8fcOQwcij4WBpN7rdx33AN1cWBn/VfdIVdUKTa5ATrKLe0kRppj40fjrLEercJJ2dV13QW pFnfqN6TpRNlf3gZ5qviEArDZ X-Received: by 2002:a6b:a008:: with SMTP id j8-v6mr27851223ioe.72.1525525044779; Sat, 05 May 2018 05:57:24 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpuYTxbq4xYyH2imktGTuRksy7+TES6RJqLzVQJJMkDV9l6JQsfNvwk9JI0rRolgjdw7b0YAQ== X-Received: by 2002:a6b:a008:: with SMTP id j8-v6mr27851209ioe.72.1525525044536; Sat, 05 May 2018 05:57:24 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e12-v6sm4850754iog.66.2018.05.05.05.57.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 05:57:23 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 1/2] i2c: core-smbus: fix a potential uninitialization bug Date: Sat, 5 May 2018 07:57:10 -0500 Message-Id: <1525525030-9805-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-i2c-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-i2c@vger.kernel.org In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, which are used to save a series of messages, as mentioned in the comment. According to the value of the variable 'size', msgbuf0 is initialized to various values. In contrast, msgbuf1 is left uninitialized until the function i2c_transfer() is invoked. However, msgbuf1 is not always initialized on all possible execution paths (implementation) of i2c_transfer(). Thus, it is possible that msgbuf1 may still be uninitialized even after the invocation of the function i2c_transfer(), especially when the return value of ic2_transfer() is not checked properly. In the following execution, the uninitialized msgbuf1 will be used, such as for security checks. Since uninitialized values can be random and arbitrary, this will cause undefined behaviors or even check bypass. For example, it is expected that if the value of 'size' is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larger than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), the value read from msgbuf1 is assigned to data->block[0], which can potentially lead to invalid block write size, as demonstrated in the error message. This patch initializes the first byte of msgbuf1 with 0 to avoid such undefined behaviors or security issues. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index b5aec33..7d7700f 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -344,6 +344,7 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, }; msgbuf0[0] = command; + msgbuf1[0] = 0; switch (size) { case I2C_SMBUS_QUICK: msg[0].len = 0; From patchwork Sat May 5 13:02:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 909150 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-i2c-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=umn.edu Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=umn.edu header.i=@umn.edu header.b="nmXSimqg"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40dTZR4MWPz9s37 for ; Sat, 5 May 2018 23:02:55 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751183AbeEENCm (ORCPT ); Sat, 5 May 2018 09:02:42 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:32850 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751096AbeEENCl (ORCPT ); Sat, 5 May 2018 09:02:41 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 9443CBC1 for ; Sat, 5 May 2018 13:02:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whZVFdRclQBU for ; Sat, 5 May 2018 08:02:40 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 679C7BAB for ; Sat, 5 May 2018 08:02:40 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id t9-v6so18281950ioa.2 for ; Sat, 05 May 2018 06:02:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=1UP9hszMilk1Fo/QRzUyqWFSP4DQ0OdHoY0SIgJK6kg=; b=nmXSimqghuiGrJuvv+aZAtAeGQj1sa+Xci53TeqZm+zRttHw0CAwh1tW0WDs1oJKIH v0ihebnSHvIawhFjB7lb4sviD6w02YPR4P0mbiWLLjlReEGpXhGBDr2mJ7Ja9R8Bc2HG aopvkCbykJu9EKAYLz0lXkvjkhrWoKuvKUK6gsD+ZGRu6q/e9S1hnL/780ScXb38T3FE HmUIGEIzQUMapT6B5yHowRGoT7PTVdyOcgvsZ5H4+DCTluZqCuXTjkBLqXeU2g1akoN8 1ar3rbXU6lG/8Iav8oYscT/9EgiNSMXGx0lqD3MtRkefhXs1EwyQ7+n+YXMdtaJic0vJ f16w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=1UP9hszMilk1Fo/QRzUyqWFSP4DQ0OdHoY0SIgJK6kg=; b=jZy76uW3hfuT4DRqqQtcq9ESmT8d7NJMQAZ/3d4jBfwoWMXPa3NnY/xbs4bdbZcdVV pYoN8yL2fPsbvSFo9897BO73lXGTNHJQXS4U0YncQypro1u5Oai8kYELXxj36hIEqe5Z csFEszeh52hibggLT7fpmJ6+1E5JDkqPjlgSQQVFwPAqX60vK/tA0BROPax2y6DH13Wt qm1BGPSOhdQ8jdhZF0uprzn4ksrvAWPgUUHMD3t0hOOblS+Hklpw50Ezz3h4WlBAY3hv KOZjQVlpK6hqFo0Z0pcmdO4WPiF9r6vVDRu+87Nn/lhACUjxhaAPEjbW0iQ1V1A7Ygae vFBg== X-Gm-Message-State: ALQs6tBQexNidGWNGZC0XSdFgVREqEJQNCzyMAqJI0tHKKSJu1c9Z3dB ODXY7EPAjGcvt9R7E8iEpjecinayaASEj9VQ1xJd4j08PQ2BKgpg7uE2Fmz6NeEooj79xkUKHVj KWk0hXE9ZTlp3phBB1YkOprqL X-Received: by 2002:a6b:1b12:: with SMTP id b18-v6mr33062907iob.175.1525525360103; Sat, 05 May 2018 06:02:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpSTJ6hH4049jGTZxDYG9o9WCWwg1zs8IPs4zWhb/JOrAHmO0QbmeI0QM+9EMKpqMQ76gelew== X-Received: by 2002:a6b:1b12:: with SMTP id b18-v6mr33062882iob.175.1525525359938; Sat, 05 May 2018 06:02:39 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id f22-v6sm9605877ioi.61.2018.05.05.06.02.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 06:02:39 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 2/2] i2c: core-smbus: fix a potential missing-check bug Date: Sat, 5 May 2018 08:02:21 -0500 Message-Id: <1525525341-10046-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-i2c-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-i2c@vger.kernel.org In i2c_smbus_xfer_emulated(), the function i2c_transfer() is invoked to transfer i2c messages. The number of actual transferred messages is returned and saved to 'status'. If 'status' is negative, that means an error occurred during the transfer process. In that case, the value of 'status' is an error code to indicate the reason of the transfer failure. In most cases, i2c_transfer() can transfer 'num' messages with no error. And so 'status' == 'num'. However, due to unexpected errors, it is probable that only partial messages are transferred by i2c_transfer(). As a result, 'status' != 'num'. This special case is not checked after the invocation of i2c_transfer() and can potentially lead to unexpected issues in the following execution since it is expected that 'status' == 'num'. This patch checks the return value of i2c_transfer() and returns an error code -EIO if the number of actual transferred messages 'status' is not equal to 'num'. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index 7d7700f..e7a2d2f 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -467,6 +467,8 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, status = i2c_transfer(adapter, msg, num); if (status < 0) return status; + if (status != num) + return -EIO; /* Check PEC if last message is a read */ if (i && (msg[num-1].flags & I2C_M_RD)) {