[PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master

public inbox for linux-i2c@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()
@ 2022-10-12 14:51 Dan Carpenter
  2022-10-13 18:02 ` Bence Csókás
  0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2022-10-12 14:51 UTC (permalink / raw)
  To: Bence Csókás; +Cc: Wolfram Sang, linux-i2c, kernel-janitors

The "msg->len" can be controlled by the user via the ioctl.  We need to
ensure that it is not too large.

Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/i2c/busses/i2c-cp2615.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
index 3ded28632e4c..ad1d6e548503 100644
--- a/drivers/i2c/busses/i2c-cp2615.c
+++ b/drivers/i2c/busses/i2c-cp2615.c
@@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
 		} else {
 			i2c_w.read_len = 0;
 			i2c_w.write_len = msg->len;
+			if (msg->len > sizeof(i2c_w.data))
+				return -EINVAL;
 			memcpy(&i2c_w.data, msg->buf, i2c_w.write_len);
 		}
 		ret = cp2615_i2c_send(usbif, &i2c_w);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()
  2022-10-12 14:51 [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer() Dan Carpenter
@ 2022-10-13 18:02 ` Bence Csókás
  2022-10-14  7:03   ` Dan Carpenter
  0 siblings, 1 reply; 5+ messages in thread
From: Bence Csókás @ 2022-10-13 18:02 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Wolfram Sang, linux-i2c, kernel-janitors

Dan Carpenter <dan.carpenter@oracle.com> ezt írta (időpont: 2022. okt.
12., Sze, 16:52):
>
> The "msg->len" can be controlled by the user via the ioctl.  We need to
> ensure that it is not too large.

Does the I2C core not check that submitted msgs do not exceed maximums
specified in `i2c_adapter_quirks`? @WSA?
If not, other drivers may also have this issue.

> Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/i2c/busses/i2c-cp2615.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> index 3ded28632e4c..ad1d6e548503 100644
> --- a/drivers/i2c/busses/i2c-cp2615.c
> +++ b/drivers/i2c/busses/i2c-cp2615.c
> @@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
>                 } else {
>                         i2c_w.read_len = 0;
>                         i2c_w.write_len = msg->len;
> +                       if (msg->len > sizeof(i2c_w.data))
> +                               return -EINVAL;

Please move this up to line 225, as an invalid `read_len` is also an
error and should bail out accordingly.

>                         memcpy(&i2c_w.data, msg->buf, i2c_w.write_len);
>                 }
>                 ret = cp2615_i2c_send(usbif, &i2c_w);
> --
> 2.35.1
>
>

Bence

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()
  2022-10-13 18:02 ` Bence Csókás
@ 2022-10-14  7:03   ` Dan Carpenter
  2022-10-14 11:17     ` Bence Csókás
  0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2022-10-14  7:03 UTC (permalink / raw)
  To: Bence Csókás; +Cc: Wolfram Sang, linux-i2c, kernel-janitors

On Thu, Oct 13, 2022 at 08:02:04PM +0200, Bence Csókás wrote:
> Dan Carpenter <dan.carpenter@oracle.com> ezt írta (időpont: 2022. okt.
> 12., Sze, 16:52):
> >
> > The "msg->len" can be controlled by the user via the ioctl.  We need to
> > ensure that it is not too large.
> 
> Does the I2C core not check that submitted msgs do not exceed maximums
> specified in `i2c_adapter_quirks`? @WSA?
> If not, other drivers may also have this issue.
> 

I fixed another driver as well.

The other related bugs we've been fixing recently are related to
i2cdev_ioctl().  So it's not 100% the same, but similar.


> > Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> >  drivers/i2c/busses/i2c-cp2615.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> > index 3ded28632e4c..ad1d6e548503 100644
> > --- a/drivers/i2c/busses/i2c-cp2615.c
> > +++ b/drivers/i2c/busses/i2c-cp2615.c
> > @@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
> >                 } else {
> >                         i2c_w.read_len = 0;
> >                         i2c_w.write_len = msg->len;
> > +                       if (msg->len > sizeof(i2c_w.data))
> > +                               return -EINVAL;
> 
> Please move this up to line 225, as an invalid `read_len` is also an
> error and should bail out accordingly.
> 

I don't see the bug.  Is that something that requires knowledge of the
hardware?

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()
  2022-10-14  7:03   ` Dan Carpenter
@ 2022-10-14 11:17     ` Bence Csókás
  2022-10-14 14:23       ` Dan Carpenter
  0 siblings, 1 reply; 5+ messages in thread
From: Bence Csókás @ 2022-10-14 11:17 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Wolfram Sang, linux-i2c, kernel-janitors

Dan Carpenter <dan.carpenter@oracle.com> ezt írta (időpont: 2022. okt.
14., P, 9:03):
> > >  drivers/i2c/busses/i2c-cp2615.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > >
> > > diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> > > index 3ded28632e4c..ad1d6e548503 100644
> > > --- a/drivers/i2c/busses/i2c-cp2615.c
> > > +++ b/drivers/i2c/busses/i2c-cp2615.c
> > > @@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
> > >                 } else {
> > >                         i2c_w.read_len = 0;
> > >                         i2c_w.write_len = msg->len;
> > > +                       if (msg->len > sizeof(i2c_w.data))
> > > +                               return -EINVAL;
> >
> > Please move this up to line 225, as an invalid `read_len` is also an
> > error and should bail out accordingly.
> >
>
> I don't see the bug.  Is that something that requires knowledge of the
> hardware?

No, what I mean is that you put the check in the else clause of
> if (msg->flags & I2C_M_RD) {
But a `msg->len > MAX_I2C_SIZE` is invalid, regardless of `msg->flags`.
So the check should be outside if the `if`.

> regards,
> dan carpenter

Bence

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()
  2022-10-14 11:17     ` Bence Csókás
@ 2022-10-14 14:23       ` Dan Carpenter
  0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2022-10-14 14:23 UTC (permalink / raw)
  To: Bence Csókás
  Cc: Wolfram Sang, linux-i2c, kernel-janitors, Harshit Mogalapalli

On Fri, Oct 14, 2022 at 01:17:32PM +0200, Bence Csókás wrote:
> Dan Carpenter <dan.carpenter@oracle.com> ezt írta (időpont: 2022. okt.
> 14., P, 9:03):
> > > >  drivers/i2c/busses/i2c-cp2615.c | 2 ++
> > > >  1 file changed, 2 insertions(+)
> > > >
> > > > diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> > > > index 3ded28632e4c..ad1d6e548503 100644
> > > > --- a/drivers/i2c/busses/i2c-cp2615.c
> > > > +++ b/drivers/i2c/busses/i2c-cp2615.c
> > > > @@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
> > > >                 } else {
> > > >                         i2c_w.read_len = 0;
> > > >                         i2c_w.write_len = msg->len;
> > > > +                       if (msg->len > sizeof(i2c_w.data))
> > > > +                               return -EINVAL;
> > >
> > > Please move this up to line 225, as an invalid `read_len` is also an
> > > error and should bail out accordingly.
> > >
> >
> > I don't see the bug.  Is that something that requires knowledge of the
> > hardware?
> 
> No, what I mean is that you put the check in the else clause of
> > if (msg->flags & I2C_M_RD) {
> But a `msg->len > MAX_I2C_SIZE` is invalid, regardless of `msg->flags`.
> So the check should be outside if the `if`.
> 

Hm...  I was looking at how that could be added at a lower level and
actually the quirks code you mentioned earlier takes care of this in
i2c_check_for_quirks().

So this patch is not required.  Please drop it.  Sorry for the noise.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-10-14 14:29 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-12 14:51 [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer() Dan Carpenter
2022-10-13 18:02 ` Bence Csókás
2022-10-14  7:03   ` Dan Carpenter
2022-10-14 11:17     ` Bence Csókás
2022-10-14 14:23       ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox