From: Krzysztof Kozlowski <krzk@kernel.org>
To: Maoyi Xie <maoyixie.tju@gmail.com>, Jan Kandziora <jjj@gmx.de>
Cc: Jakub Kicinski <kuba@kernel.org>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Andi Shyti <andi.shyti@kernel.org>,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: w1: ds28e17: possible out of bounds write from a device length byte
Date: Mon, 29 Jun 2026 11:49:38 +0200 [thread overview]
Message-ID: <22e94aaa-0c11-45f4-8317-204ac4be66ec@kernel.org> (raw)
In-Reply-To: <178177668382.3462209.6459868495361731106@maoyixie.com>
On 18/06/2026 11:58, Maoyi Xie wrote:
> Hi all,
>
> I think w1_f19_i2c_master_transfer() in drivers/w1/slaves/w1_ds28e17.c can
> write past the SMBus buffer when an I2C device behind the DS28E17 bridge
> reports a large length. I would appreciate it if you could take a look.
>
> On an I2C_M_RECV_LEN read the driver takes the length from the device.
>
> if (msgs[i].flags & I2C_M_RECV_LEN) {
> result = w1_f19_i2c_read(sl, msgs[i].addr,
> &(msgs[i].buf[1]), msgs[i].buf[0]);
>
> buf[0] is the length byte a previous read filled in from the device, so it
> can be anything from 0 to 255. w1_f19_i2c_read() only rejects a zero count
> and then writes that many bytes into buf[1].
That's exactly the bug AI tends to find... Easy to spot pattern and then
figuring out the logic leading to it. Maybe it is real, maybe not, but
the AI feels like too big threat of wasting my time (and you did not
even disclose it).
Reading based on length supplied by device is of course risky, but isn't
the rest of the master_xfer implementations doing the same? IOW, what is
different here? Or they do not do it, so you have the answer to your
question?
>
> The buffer the SMBus core hands in is I2C_SMBUS_BLOCK_MAX + 2, so 34 bytes,
> with msg.len set to 1. A device that reports a length above 32 makes the
> read run past the 34 byte buffer, up to about 222 bytes out of bounds.
>
> The SMBus emulation does check buf[0] against I2C_SMBUS_BLOCK_MAX, but that
> runs after the transfer returns, so it cannot stop the write that already
> happened. A compliant bit banging adapter rejects the over long length
> before copying, in i2c-algo-bit.
>
> The attacker here is a malicious or faulty I2C device sitting behind a
Malicious DS28E17? Feels like AI convinced you that it is a thing...
> DS28E17 1-wire to I2C bridge. It controls the length byte it returns.
>
> I reproduced it under KASAN on 7.1-rc7. With a length of 32 the write stays
How did you reproduce it? Do you have ds28e17?
> inside the buffer. With a length of 255 KASAN reports a slab out of bounds
> write past the 34 byte allocation.
>
> The fix I tried rejects a length above I2C_SMBUS_BLOCK_MAX at the two
> I2C_M_RECV_LEN sites, before the second read.
>
> Does this look like a real bug to you? If it does I am happy to send a
Did not investigate enough to judge. I am sorry but my expectation is
not to investigate AI-based reports. Expectation is rather to get a
human created and human validated patch, regardless whether human or AI
produced the report.
Best regards,
Krzysztof
next prev parent reply other threads:[~2026-06-29 9:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 9:58 w1: ds28e17: possible out of bounds write from a device length byte Maoyi Xie
2026-06-29 9:49 ` Krzysztof Kozlowski [this message]
2026-06-29 12:02 ` Maoyi Xie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22e94aaa-0c11-45f4-8317-204ac4be66ec@kernel.org \
--to=krzk@kernel.org \
--cc=andi.shyti@kernel.org \
--cc=jjj@gmx.de \
--cc=kuba@kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maoyixie.tju@gmail.com \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox