From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Bence Csókás" <bence98@sch.bme.hu>
Cc: Wolfram Sang <wsa@kernel.org>,
linux-i2c@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()
Date: Fri, 14 Oct 2022 10:03:09 +0300 [thread overview]
Message-ID: <Y0kJrSozgFotrWVt@kadam> (raw)
In-Reply-To: <CACCVKEEWr-ko9yuZZnzW6icnDesdhajKbb+KWOaVyGDPy9D4Cg@mail.gmail.com>
On Thu, Oct 13, 2022 at 08:02:04PM +0200, Bence Csókás wrote:
> Dan Carpenter <dan.carpenter@oracle.com> ezt írta (időpont: 2022. okt.
> 12., Sze, 16:52):
> >
> > The "msg->len" can be controlled by the user via the ioctl. We need to
> > ensure that it is not too large.
>
> Does the I2C core not check that submitted msgs do not exceed maximums
> specified in `i2c_adapter_quirks`? @WSA?
> If not, other drivers may also have this issue.
>
I fixed another driver as well.
The other related bugs we've been fixing recently are related to
i2cdev_ioctl(). So it's not 100% the same, but similar.
> > Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > drivers/i2c/busses/i2c-cp2615.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> > index 3ded28632e4c..ad1d6e548503 100644
> > --- a/drivers/i2c/busses/i2c-cp2615.c
> > +++ b/drivers/i2c/busses/i2c-cp2615.c
> > @@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
> > } else {
> > i2c_w.read_len = 0;
> > i2c_w.write_len = msg->len;
> > + if (msg->len > sizeof(i2c_w.data))
> > + return -EINVAL;
>
> Please move this up to line 225, as an invalid `read_len` is also an
> error and should bail out accordingly.
>
I don't see the bug. Is that something that requires knowledge of the
hardware?
regards,
dan carpenter
next prev parent reply other threads:[~2022-10-14 7:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-12 14:51 [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer() Dan Carpenter
2022-10-13 18:02 ` Bence Csókás
2022-10-14 7:03 ` Dan Carpenter [this message]
2022-10-14 11:17 ` Bence Csókás
2022-10-14 14:23 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0kJrSozgFotrWVt@kadam \
--to=dan.carpenter@oracle.com \
--cc=bence98@sch.bme.hu \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=wsa@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.