From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Pavel Skripkin <paskripkin@gmail.com>,
Wolfram Sang <wsa@kernel.org>, Sasha Levin <sashal@kernel.org>,
syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Subject: [PATCH 4.19 17/27] i2c: validate user data in compat ioctl
Date: Mon, 3 Jan 2022 15:23:57 +0100 [thread overview]
Message-ID: <20220103142052.730848150@linuxfoundation.org> (raw)
In-Reply-To: <20220103142052.162223000@linuxfoundation.org>
From: Pavel Skripkin <paskripkin@gmail.com>
[ Upstream commit bb436283e25aaf1533ce061605d23a9564447bdf ]
Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
Userspace should not be able to trigger warnings, so this patch adds
validation checks for user data in compact ioctl to prevent reported
warnings
Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-dev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 57aece8098416..140dd074fdee5 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -544,6 +544,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
sizeof(rdwr_arg)))
return -EFAULT;
+ if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
+ return -EINVAL;
+
if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
return -EINVAL;
--
2.34.1
next prev parent reply other threads:[~2022-01-03 14:25 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 14:23 [PATCH 4.19 00/27] 4.19.224-rc1 review Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 01/27] HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 02/27] tee: handle lookup of shm with reference count 0 Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 03/27] Input: i8042 - add deferred probe support Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 04/27] Input: i8042 - enable deferred probe quirk for ASUS UM325UA Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 05/27] platform/x86: apple-gmux: use resource_size() with res Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 06/27] recordmcount.pl: fix typo in s390 mcount regex Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 07/27] selinux: initialize proto variable in selinux_ip_postroute_compat() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 08/27] scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 09/27] udp: using datalen to cap ipv6 udp max gso segments Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 10/27] selftests: Calculate udpgso segment count without header adjustment Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 11/27] sctp: use call_rcu to free endpoint Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 12/27] net: usb: pegasus: Do not drop long Ethernet frames Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 13/27] NFC: st21nfca: Fix memory leak in device probe and remove Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 14/27] net/mlx5e: Fix wrong features assignment in case of error Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 15/27] selftests/net: udpgso_bench_tx: fix dst ip argument Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 16/27] fsl/fman: Fix missing put_device() call in fman_port_probe Greg Kroah-Hartman
2022-01-03 14:23 ` Greg Kroah-Hartman [this message]
2022-01-03 14:23 ` [PATCH 4.19 18/27] nfc: uapi: use kernel size_t to fix user-space builds Greg Kroah-Hartman
2022-01-03 14:23 ` [PATCH 4.19 19/27] uapi: fix linux/nfc.h userspace compilation errors Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 20/27] xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 21/27] usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 22/27] usb: mtu3: set interval of FS intr and isoc endpoint Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 23/27] binder: fix async_free_space accounting for empty parcels Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 24/27] scsi: vmw_pvscsi: Set residual data length conditionally Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 25/27] Input: appletouch - initialize work before device registration Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 26/27] Input: spaceball - fix parsing of movement data packets Greg Kroah-Hartman
2022-01-03 14:24 ` [PATCH 4.19 27/27] net: fix use-after-free in tw_timer_handler Greg Kroah-Hartman
2022-01-03 20:18 ` [PATCH 4.19 00/27] 4.19.224-rc1 review Pavel Machek
2022-01-04 1:25 ` Guenter Roeck
2022-01-04 9:53 ` Jon Hunter
2022-01-04 13:00 ` Naresh Kamboju
2022-01-04 15:51 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103142052.730848150@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com \
--cc=wsa@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.