From patchwork Thu Jun 21 15:03:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pasha X-Patchwork-Id: 932779 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-i2c-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="PfnRcmpC"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41BQ1r1pbCz9s19 for ; Fri, 22 Jun 2018 01:03:28 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932966AbeFUPD1 (ORCPT ); Thu, 21 Jun 2018 11:03:27 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:36263 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932879AbeFUPD0 (ORCPT ); Thu, 21 Jun 2018 11:03:26 -0400 Received: by mail-lf0-f68.google.com with SMTP id n24-v6so4859924lfh.3 for ; Thu, 21 Jun 2018 08:03:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=ZPt59bwcoxudteiYcWEHMmqWjp/2kYvGgGVufvp7ebY=; b=PfnRcmpC50wVsCobaCOqq4CfUs6WUPvU0Bkswc1C9nLFrqAC2ObYizyz4KapPhcj0Z FZF5hyrfNKjm6DZDx2F4rg8w4ykbSs7bTN0sfqygpfch+Us3wmU9q+oTta8wbaCCIscc GeBRb1Xe+9bW/qc25MDvj1ahu4Yrh6S4ALrYOY4VNPKNIDesbQXHqz0DwzCFZTHuVoOP NZKiohNBwV7URZtWe4qQkLvodn8WdK/TReIjHnJS4IslugFevzvBfUgSCIY2eTQ1PNJo isvDhvvOg3CWPbXRju1thPsopQzK02+2J0e0z+JZptkNssWkky/z03g2AsMEhj7Qa5kf TwKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=ZPt59bwcoxudteiYcWEHMmqWjp/2kYvGgGVufvp7ebY=; b=C3Vzt06cUvPUqLfvY8OtgXPZPZFFNvsabFSH9fUl/1x6RWthdFtmWtg1IerkDqT/5E X+Rlb30hUUbxthUzZL51+5UOheWwkEq6cr6vr4+35OFemMv6os8vHgURilO8qgVrNdUF uW9eKnxiDz9HwCY8UEPZZF+7/l3e8eJgcRHPqlrWK5YI7A6ESOihd2xl6B/DK1C6985L 9mbfRoFiCdoJ0k4eEtCjXt8i2CgZOI67Vx2mXR2ssXbqsg3XcMmNUjvjTlClqHm/8Azh 9mEuZEDvKTdhu2IQjKSX8ZyqS3U6OdW1OqD2sAnFGtWO5jmAY4+0OQYSqmlfu4HZiF1t 5C0A== X-Gm-Message-State: APt69E3N05fhspP3CBJxRL210jWI8s0j4D67HXEfnLe0Z+WzjUF191Je aaJSGM18CNNFjTOkJIil0fQT6i1bzCZeKoRLS84u89hw X-Google-Smtp-Source: ADUXVKLUKdiJEgPAXavYRIJ+y+Y2CBguOx3hQprJ/7HEFb6QwpXGEPrPVHLjDili4JHC64oscnEQzjNnW8Hg76KGeKU= X-Received: by 2002:a19:5459:: with SMTP id i86-v6mr15797094lfb.34.1529593404998; Thu, 21 Jun 2018 08:03:24 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:21cb:0:0:0:0:0 with HTTP; Thu, 21 Jun 2018 08:03:24 -0700 (PDT) From: Pasha Orehov Date: Thu, 21 Jun 2018 18:03:24 +0300 Message-ID: Subject: PATCH i2c: smbus_read_block write out of buffer on noisy bus To: linux-i2c@vger.kernel.org Cc: Mark Studebaker , Jean Delvare , Frodo Looijaard Sender: linux-i2c-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-i2c@vger.kernel.org Hi, all On i2c_smbus_read_block my device sometimes returns FFs, so kernel writes results out of buffer and halts. So it may be treated as security hole too. This code exists since v2.6 Please mitigate me. :) Pavel --- i2c-core-smbus-linus.c 2018-06-21 17:04:10.620609631 +0300 +++ i2c-core-smbus.c 2018-06-21 17:22:23.145417235 +0300 @@ -226,7 +226,7 @@ if (status) return status; - memcpy(values, &data.block[1], data.block[0]); + memcpy(values, &data.block[1], min(data.block[0], sizeof(data))); return data.block[0]; } EXPORT_SYMBOL(i2c_smbus_read_block_data); @@ -494,7 +494,7 @@ break; case I2C_SMBUS_BLOCK_DATA: case I2C_SMBUS_BLOCK_PROC_CALL: - for (i = 0; i < msg[1].buf[0] + 1; i++) + for (i = 0; i < min(sizeof(i2c_smbus_data), msg[1].buf[0] + 1); i++) data->block[i] = msg[1].buf[i]; break; }