From: Maoyi Xie <maoyixie.tju@gmail.com>
To: Krzysztof Kozlowski <krzk@kernel.org>, Jan Kandziora <jjj@gmx.de>
Cc: Wolfram Sang <wsa+renesas@sang-engineering.com>,
Andi Shyti <andi.shyti@kernel.org>,
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] w1: ds28e17: reject an oversize length on an I2C block read
Date: Mon, 29 Jun 2026 20:10:43 +0800 [thread overview]
Message-ID: <20260629121043.199487-1-maoyixie.tju@gmail.com> (raw)
w1_f19_i2c_master_transfer() is the master_xfer for the DS28E17 1-Wire
to I2C bridge. On an I2C_M_RECV_LEN read, it takes the length from the
device. The downstream slave puts a length byte in buf[0]. The driver
then reads that many bytes into buf[1] with w1_f19_i2c_read().
buf[0] is controlled by the device and can be 0 to 255.
w1_f19_i2c_read() only rejects a zero count. The caller buffer is
I2C_SMBUS_BLOCK_MAX + 2, so 34 bytes. A length above 32 makes the read
run past it, up to about 222 bytes out of bounds.
The SMBus core does check buf[0] against I2C_SMBUS_BLOCK_MAX. That
check runs after master_xfer returns. By then the write is already
done. i2c-algo-bit rejects an oversize length before it copies, and
returns -EPROTO.
Reject a length above I2C_SMBUS_BLOCK_MAX at both RECV_LEN sites, the
same way i2c-algo-bit does.
Fixes: ebc4768ac497 ("add w1_ds28e17 driver for the DS28E17 Onewire to I2C master bridge")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
drivers/w1/slaves/w1_ds28e17.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/w1/slaves/w1_ds28e17.c b/drivers/w1/slaves/w1_ds28e17.c
index e53bc41bde3ca..b638963d4b595 100644
--- a/drivers/w1/slaves/w1_ds28e17.c
+++ b/drivers/w1/slaves/w1_ds28e17.c
@@ -389,6 +389,10 @@ static int w1_f19_i2c_master_transfer(struct i2c_adapter *adapter,
* another simple read in that case.
*/
if (msgs[i+1].flags & I2C_M_RECV_LEN) {
+ if (msgs[i+1].buf[0] > I2C_SMBUS_BLOCK_MAX) {
+ i = -EPROTO;
+ goto error;
+ }
result = w1_f19_i2c_read(sl, msgs[i+1].addr,
&(msgs[i+1].buf[1]), msgs[i+1].buf[0]);
if (result < 0) {
@@ -415,6 +419,10 @@ static int w1_f19_i2c_master_transfer(struct i2c_adapter *adapter,
* another simple read in that case.
*/
if (msgs[i].flags & I2C_M_RECV_LEN) {
+ if (msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX) {
+ i = -EPROTO;
+ goto error;
+ }
result = w1_f19_i2c_read(sl,
msgs[i].addr,
&(msgs[i].buf[1]),
--
2.34.1
next reply other threads:[~2026-06-29 12:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 12:10 Maoyi Xie [this message]
2026-07-02 16:38 ` [PATCH] w1: ds28e17: reject an oversize length on an I2C block read Andi Shyti
2026-07-02 16:41 ` Krzysztof Kozlowski
2026-07-02 19:07 ` Andi Shyti
2026-07-03 9:45 ` Krzysztof Kozlowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629121043.199487-1-maoyixie.tju@gmail.com \
--to=maoyixie.tju@gmail.com \
--cc=andi.shyti@kernel.org \
--cc=bjorn.andersson@oss.qualcomm.com \
--cc=jjj@gmx.de \
--cc=krzk@kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox