From: Jean Delvare <jdelvare@suse.de>
To: Wolfram Sang <wsa@the-dreams.de>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Daniel Kurtz <djkurtz@chromium.org>,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot <syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Jarkko Nikula <jarkko.nikula@linux.intel.com>
Subject: Re: [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done()
Date: Sun, 22 Mar 2020 19:08:13 +0100 [thread overview]
Message-ID: <20200322190813.39b92de2@endymion> (raw)
In-Reply-To: <20200320145748.GD1282@ninjato>
Hi Wolfram,
Can you please bounce the previous messages in this thread to me? I was
apparently not Cc'd so I'm missing the context.
Thanks,
Jean
On Fri, 20 Mar 2020 15:57:48 +0100, Wolfram Sang wrote:
> On Sat, Feb 22, 2020 at 01:45:23PM +0100, Wolfram Sang wrote:
> > On Tue, Jan 14, 2020 at 10:34:06AM +0300, Dan Carpenter wrote:
> > > Assigning "priv->data[-1] = priv->len;" obviously doesn't make sense.
> > > What it does is it ends up corrupting the last byte of priv->len so
> > > priv->len becomes a very high number.
> > >
> > > Reported-by: syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com
> > > Fixes: d3ff6ce40031 ("i2c-i801: Enable IRQ for byte_by_byte transactions")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > ---
> >
> > Daniel, Jean: what do you think?
> > Also, adding Jarkko to CC who works a lot with this driver...
>
> Ping. Adding more people...
>
> >
> > > Untested.
> > >
> > > drivers/i2c/busses/i2c-i801.c | 1 -
> > > 1 file changed, 1 deletion(-)
> > >
> > > diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
> > > index f5e69fe56532..420d8025901e 100644
> > > --- a/drivers/i2c/busses/i2c-i801.c
> > > +++ b/drivers/i2c/busses/i2c-i801.c
> > > @@ -584,7 +584,6 @@ static void i801_isr_byte_done(struct i801_priv *priv)
> > > "SMBus block read size is %d\n",
> > > priv->len);
> > > }
> > > - priv->data[-1] = priv->len;
> > > }
> > >
> > > /* Read next byte */
> > > --
> > > 2.11.0
> > >
next prev parent reply other threads:[~2020-03-22 18:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 6:34 KASAN: vmalloc-out-of-bounds Write in i801_isr syzbot
2020-01-14 7:34 ` [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done() Dan Carpenter
2020-02-22 12:45 ` Wolfram Sang
2020-03-20 14:57 ` Wolfram Sang
2020-03-22 18:08 ` Jean Delvare [this message]
2020-03-22 21:10 ` Andy Shevchenko
2020-03-22 21:12 ` Wolfram Sang
2020-03-22 22:11 ` Jean Delvare
2020-03-23 9:37 ` Dan Carpenter
2020-03-23 17:51 ` Jean Delvare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200322190813.39b92de2@endymion \
--to=jdelvare@suse.de \
--cc=andriy.shevchenko@linux.intel.com \
--cc=dan.carpenter@oracle.com \
--cc=djkurtz@chromium.org \
--cc=jarkko.nikula@linux.intel.com \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com \
--cc=wsa@the-dreams.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.