From: Jean Delvare <jdelvare@suse.de>
To: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Andi Shyti <andi.shyti@kernel.org>,
Jarkko Nikula <jarkko.nikula@linux.intel.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Jan Dabros <jsd@semihalf.com>,
linux-i2c@vger.kernel.org
Subject: Recent i2c-designware initialization fix
Date: Wed, 17 Sep 2025 13:04:50 +0200 [thread overview]
Message-ID: <20250917130450.50ff0db3@endymion> (raw)
Hello Michael,
I have been looking into your kernel commit 3d30048958e0
("i2c/designware: Fix an initialization issue"), as it received a CVE
number (CVE-2025-38380), I was asked to evaluate the severity of the
bug.
I was not familiar with the i2c-designware driver so it took me some
reading time to form an opinion on the matter. But after a careful
review, my conclusion is that there was no actual bug in the first
place. If I'm correct then CVE-2025-38380 is invalid.
My reasoning is as follows:
* struct dw_i2c_dev is allocated per-PCI device in i2c_dw_pci_probe()
using devm_kzalloc(), therefore all its members, including
dev->msg_write_idx, are initialized to 0.
* The supposedly problematic code path is only taken if (dev->flags &
MODEL_MASK) == MODEL_AMD_NAVI_GPU.
* The only place where dev->msg_write_idx is set to a non-zero value is
in i2c_dw_xfer_msg(). This function is only called by i2c_dw_isr(),
which in turn is only called if the device is not in polling mode.
* The flags set for the AMD Navi GPU devices are:
dev->flags |= MODEL_AMD_NAVI_GPU | ACCESS_POLLING
so these devices are always in polling mode and never use an
interrupt so i2c_dw_isr() is never called for them.
If my reasoning is correct, then for the AMD Navi GPU devices,
dev->msg_write_idx is implicitly initialized to 0 at allocation time
and its value is never changed after that, so the explicit
initialization to 0 which has been added in amd_i2c_dw_xfer_quirk() is
a no-op.
What do you think? Am I missing something?
Thanks,
--
Jean Delvare
SUSE L3 Support
next reply other threads:[~2025-09-17 11:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 11:04 Jean Delvare [this message]
2025-09-17 12:46 ` Recent i2c-designware initialization fix Ruhl, Michael J
2025-09-17 13:07 ` Jean Delvare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250917130450.50ff0db3@endymion \
--to=jdelvare@suse.de \
--cc=andi.shyti@kernel.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=jarkko.nikula@linux.intel.com \
--cc=jsd@semihalf.com \
--cc=linux-i2c@vger.kernel.org \
--cc=michael.j.ruhl@intel.com \
--cc=mika.westerberg@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox