From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x224XxoUl/K1c0nvHei8vLdEhQb/vJ62CMBHtFmdfuwE8bXfJD1La2YUuqQggLPNcDOe9jccO ARC-Seal: i=1; a=rsa-sha256; t=1516611179; cv=none; d=google.com; s=arc-20160816; b=orAHbxKj6C2PM4rGMVkt3TrdG+nZVx4qWe3VMKMNJidf8CiY849zaZq8aobGuIX82E m50UUoIS53d7aHUSLPIEHCcGVpAX2BjehjuMABHZrmpCfBT7TWRspUJaicUBbkzArP6/ tAwhMa060TyVBH2fb9SiTszNO0ZP4WToZ03vn++yJHMJY+TQGkD2i1pz/jh9jaj+u3JJ FIEcNE6CFGWiD5p7SNqtxOJNRvdxQAO3NLITUvrrzdtsLH76WYpuLM+6Pvfx6D27EVSJ gmXhvXEtsry4+vEBaqGVfUeyUv/WioJ0MPzCN/Tqf69rmPBwBvY/DkKB4FVwsx7/oxXG g4Jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=0Qe91BG39zHTh+M0RL35C6NuRtZRb6TOAyd3+qV4IBg=; b=BgrQPgk4JNB7DgxMPC5K/wrQZvycwCxaume+eHzYv+uKXzKxm/iu6hgnK7Uue4D8JU uFq3HaUfgKLGAOHSY9isRyKtA/y7Vaji5bk6J3s272ss8Kv6PyepWI5pb5dQOyDV/LNE fk1E/JIX2KN38i1yiwMhdONBjoK7s6HwSaadOWaVet3CPxi0lzUCixS7x+iR4nOwM237 KqcUiwjxu9kMJlc6h2oTgpDUxg4f4PeSmA5GAiiXxf2f5e7X/MBPTQntVE6vC4oE4JJS CUrNk/ugUxXrMu8gCgWSJn0KRbYEIdsr8bRIg5ONA0wqyXmbNphtS2sKYPoaIVA+60yr i9+g== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jeremy Compostella , Wolfram Sang Subject: [PATCH 4.14 63/89] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Date: Mon, 22 Jan 2018 09:45:43 +0100 Message-Id: <20180122084000.894059946@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083954.683903493@linuxfoundation.org> References: <20180122083954.683903493@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590282083891084760?= X-GMAIL-MSGID: =?utf-8?q?1590282083891084760?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jeremy Compostella commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream. On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes data out of the msgbuf1 array boundary. It is possible from a user application to run into that issue by calling the I2C_SMBUS ioctl with data.block[0] greater than I2C_SMBUS_BLOCK_MAX + 1. This patch makes the code compliant with Documentation/i2c/dev-interface by raising an error when the requested size is larger than 32 bytes. Call Trace: [] dump_stack+0x67/0x92 [] panic+0xc5/0x1eb [] ? vprintk_default+0x1f/0x30 [] ? i2cdev_ioctl_smbus+0x303/0x320 [] __stack_chk_fail+0x1b/0x20 [] i2cdev_ioctl_smbus+0x303/0x320 [] i2cdev_ioctl+0x4d/0x1e0 [] do_vfs_ioctl+0x2ba/0x490 [] ? security_file_ioctl+0x43/0x60 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x12/0x6a Signed-off-by: Jeremy Compostella Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman --- drivers/i2c/i2c-core-smbus.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -396,16 +396,17 @@ static s32 i2c_smbus_xfer_emulated(struc the underlying bus driver */ break; case I2C_SMBUS_I2C_BLOCK_DATA: + if (data->block[0] > I2C_SMBUS_BLOCK_MAX) { + dev_err(&adapter->dev, "Invalid block %s size %d\n", + read_write == I2C_SMBUS_READ ? "read" : "write", + data->block[0]); + return -EINVAL; + } + if (read_write == I2C_SMBUS_READ) { msg[1].len = data->block[0]; } else { msg[0].len = data->block[0] + 1; - if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) { - dev_err(&adapter->dev, - "Invalid block write size %d\n", - data->block[0]); - return -EINVAL; - } for (i = 1; i <= data->block[0]; i++) msgbuf0[i] = data->block[i]; }