From: Jean Delvare <jdelvare@suse.de>
To: w15303746062@163.com
Cc: andi.shyti@kernel.org, linux-i2c@vger.kernel.org,
linux-kernel@vger.kernel.org,
Mingyu Wang <25181214217@stu.xidian.edu.cn>
Subject: Re: [PATCH] i2c: i801: Fix kernel stack buffer overflow in i801_block_transaction_byte_by_byte
Date: Tue, 12 May 2026 09:33:15 +0200 [thread overview]
Message-ID: <20260512092822.6b403fd5@endymion> (raw)
In-Reply-To: <20260511150005.305818-1-w15303746062@163.com>
Hi Wang,
On Mon, 11 May 2026 23:00:05 +0800, w15303746062@163.com wrote:
> A kernel stack buffer overflow exists in the
> i801_block_transaction_byte_by_byte() function due to a missing bounds
> check on the user-provided block length.
>
> When userspace executes an ioctl(I2C_SMBUS) with the
> I2C_SMBUS_I2C_BLOCK_DATA command, the user data is copied into a local
> stack variable `union i2c_smbus_data temp` (which is approximately 34
> bytes) in i2cdev_ioctl_smbus(). This data is then passed unmodified
Approximately, really?
> through i2c_smbus_xfer() and i801_access() directly into
> i801_block_transaction_byte_by_byte().
This is incorrect. i801_block_transaction_byte_by_byte() is not called
directly by i801_access(). i2c_access() calls either
i801_smbus_block_transaction() or i801_i2c_block_transaction(), which
in turn call i801_block_transaction_byte_by_byte().
This is important because both i801_smbus_block_transaction() and
i801_i2c_block_transaction() already check the value of data->block[0]
and reject invalid values.
Therefore the stack buffer overflow you intend to fix, can't happen in
the first place.
Out of curiosity, what amount of AI was involved in the discovery of
this "bug" and in the creation of this patch?
--
Jean Delvare
SUSE L3 Support
next prev parent reply other threads:[~2026-05-12 7:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 15:00 [PATCH] i2c: i801: Fix kernel stack buffer overflow in i801_block_transaction_byte_by_byte w15303746062
2026-05-12 7:33 ` Jean Delvare [this message]
2026-05-12 9:13 ` 王明煜
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512092822.6b403fd5@endymion \
--to=jdelvare@suse.de \
--cc=25181214217@stu.xidian.edu.cn \
--cc=andi.shyti@kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=w15303746062@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox