From: "Uwe Kleine-König" <u.kleine-koenig-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
To: Wolfram Sang <wsa-z923LK4zBo2bacvFa/9K2g@public.gmane.org>
Cc: Marek Vasut <marex-ynQEQJNshbs@public.gmane.org>,
linux-i2c-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: I2C_M_RECV_LEN for i2c-mxs
Date: Tue, 16 Apr 2013 09:59:44 +0200 [thread overview]
Message-ID: <20130416075944.GK30416@pengutronix.de> (raw)
In-Reply-To: <20130414115757.GA9013-z923LK4zBo2bacvFa/9K2g@public.gmane.org>
Hi Wolfram,
On Sun, Apr 14, 2013 at 01:57:58PM +0200, Wolfram Sang wrote:
> > Ah, ok. But then there is a different problem: Even though "my" driver
> > only advertises I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL calling
> > i2c_smbus_read_block_data in userspace results in .master_xfer being
> > called with I2C_M_RECV_LEN set.
>
> From Documentation/i2c/functionality:
>
> Because not every I2C or SMBus adapter implements everything in the
> I2C specifications, a client can not trust that everything it needs
> is implemented when it is given the option to attach to an adapter:
> the client needs some way to check whether an adapter has the needed
> functionality...
While add support for I2C_M_RECV_LEN I forgot to write the length data
to the first byte in the message buffer which happend to be initialized
with 0xff. This made i2c_smbus_xfer_emulated copy 255 bytes to
data->block overflowing the array and so resulting in stack curruption.
I think the same could be accomplished with a non-broken driver (e.g. by
calling i2c_smbus_read_block_data for an eeprom that is interpreted as a
1 byte read by the i2c bus driver. If the read byte is big enough the
same stack curruption occurs). So IMHO the i2c core should be a bit more
careful here and either not let i2c_smbus_xfer_emulated call the xfer
callback of a driver that is not capable to handle I2C_M_RECV_LEN with a
message that has this bit set or at least assert that data->block isn't
written to out of bounds.
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | http://www.pengutronix.de/ |
next prev parent reply other threads:[~2013-04-16 7:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-12 9:30 I2C_M_RECV_LEN for i2c-mxs Uwe Kleine-König
[not found] ` <20130412093003.GE30416-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
2013-04-12 15:37 ` Wolfram Sang
[not found] ` <20130412153757.GA10241-z923LK4zBo2bacvFa/9K2g@public.gmane.org>
2013-04-12 18:26 ` Uwe Kleine-König
[not found] ` <20130412182611.GG30416-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
2013-04-14 11:57 ` Wolfram Sang
[not found] ` <20130414115757.GA9013-z923LK4zBo2bacvFa/9K2g@public.gmane.org>
2013-04-16 7:59 ` Uwe Kleine-König [this message]
2013-04-14 17:54 ` Marek Vasut
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130416075944.GK30416@pengutronix.de \
--to=u.kleine-koenig-bicnvbalz9megne8c9+irq@public.gmane.org \
--cc=linux-i2c-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=marex-ynQEQJNshbs@public.gmane.org \
--cc=wsa-z923LK4zBo2bacvFa/9K2g@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).