From: w15303746062@163.com
To: jdelvare@suse.com, andi.shyti@kernel.org
Cc: linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
Mingyu Wang <25181214217@stu.xidian.edu.cn>
Subject: [PATCH] i2c: i801: Fix kernel stack buffer overflow in i801_block_transaction_byte_by_byte
Date: Mon, 11 May 2026 23:00:05 +0800 [thread overview]
Message-ID: <20260511150005.305818-1-w15303746062@163.com> (raw)
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
A kernel stack buffer overflow exists in the
i801_block_transaction_byte_by_byte() function due to a missing bounds
check on the user-provided block length.
When userspace executes an ioctl(I2C_SMBUS) with the
I2C_SMBUS_I2C_BLOCK_DATA command, the user data is copied into a local
stack variable `union i2c_smbus_data temp` (which is approximately 34
bytes) in i2cdev_ioctl_smbus(). This data is then passed unmodified
through i2c_smbus_xfer() and i801_access() directly into
i801_block_transaction_byte_by_byte().
The length of the transaction is blindly extracted from
`data->block[0]`. If a malicious user provides a maliciously large
length (e.g., 255), the subsequent `for (i = 1; i <= len; i++)` loop
will drive `ioread8()` to continuously read from the hardware and
write out-of-bounds into the `data->block` array. This completely
overwrites the 34-byte `temp` stack variable in i2cdev_ioctl_smbus(),
clobbering the kernel stack's return address and leading to control
flow hijacking (e.g., jumping to NX-protected pages).
Fix this by strictly validating that the length does not exceed
I2C_SMBUS_BLOCK_MAX before entering the read/write loop.
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
---
drivers/i2c/busses/i2c-i801.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
index 32a3cef02c7b..b85c3f029d7c 100644
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -683,6 +683,14 @@ static int i801_block_transaction_byte_by_byte(struct i801_priv *priv,
return -EOPNOTSUPP;
len = data->block[0];
+ /*
+ * Prevent kernel stack buffer overflow.
+ * The user-provided length must not exceed the maximum SMBus block size.
+ * Without this check, a malicious I2C_SMBUS_I2C_BLOCK_DATA ioctl can
+ * overwrite the stack variable allocated in i2cdev_ioctl_smbus().
+ */
+ if (len < 1 || len > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
if (read_write == I2C_SMBUS_WRITE) {
iowrite8(len, SMBHSTDAT0(priv));
--
2.34.1
next reply other threads:[~2026-05-11 15:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 15:00 w15303746062 [this message]
2026-05-12 7:33 ` [PATCH] i2c: i801: Fix kernel stack buffer overflow in i801_block_transaction_byte_by_byte Jean Delvare
2026-05-12 9:13 ` 王明煜
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260511150005.305818-1-w15303746062@163.com \
--to=w15303746062@163.com \
--cc=25181214217@stu.xidian.edu.cn \
--cc=andi.shyti@kernel.org \
--cc=jdelvare@suse.com \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox