From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2DF9EC43381 for ; Mon, 1 Apr 2019 20:54:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EFF602133D for ; Mon, 1 Apr 2019 20:54:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="b+y5295R" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726905AbfDAUyq (ORCPT ); Mon, 1 Apr 2019 16:54:46 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:56032 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726725AbfDAUyq (ORCPT ); Mon, 1 Apr 2019 16:54:46 -0400 Received: by mail-qk1-f201.google.com with SMTP id g25so9645294qkm.22 for ; Mon, 01 Apr 2019 13:54:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=w7KkbsUv3cDIalugpVd3RF2ZH7kx9RV9kbx3+P+AgZc=; b=b+y5295RwnnwzeQcoY3eu/vfBr9SyynxJh0zS4bHACT5KceMwvL3/w/YIXA0RLIKDt cdCXJ2WpK34lSnHyjIYh/SLFerdfLxF3X+U1QRoL0LDGncspYs82qyaCFt5BLBERk3wa zenKNOteK9VkK1WgzvLeTf36t9fq9LhMxIs7fdUBpJeRUteGWiJwDA1aqOOvjgaab3zA SoxEDh0UoN035HCFHTPajlH95rsViUiinFUueB7tXY4nGpM8Ak2FIWgPfY7mYtTdhWdn XDfPfMv3Q/ohJqJUE8q5kU8/ABjb4YnCbLulfAo6IJpkVrx7pGgHKH0+PAmS8dzgj6Sa xNxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=w7KkbsUv3cDIalugpVd3RF2ZH7kx9RV9kbx3+P+AgZc=; b=FGsrFBNwqvqdVaotIJLJUwWUkc5b7cmENjDCV2KhuCkXM41i2lswMu8RI647BVZrHL d/tKrpDz+fJgg9oG32uLJcMaRzFZTkfwjZswRaW3U+MS1kdUd3J48ahGO0tBFLJ5fl0u nExMn5rYA8ny0qt5qs1kVXNBzyf/bC6KMY9eoS1m/eVxCZFb7szmxreTzJxv5hIOXaAu xVUzJfdC8FNg6nt/YEJ3DBQejpFpG8I3hLLwtsrGM/Q1OeW3jMqtBEdlWiRbIbwttv7L hDWtuo32ND7whh8jv6flwCiVlSWb/wdOQNF1Z9S41/CrLxMqqzBzLjWw4x1QjdEDkZBQ u/jA== X-Gm-Message-State: APjAAAWTp2S8h2CGGDmo37VBYgv84fMrzk2oHv2vvp74exds0jC5D6q4 pXUMe4M23TQSMm8abXjfpPbK6d4UN/i0GM2QdN58RCkVEInWKVOxLa9ycsiJLJCcAzX+ToBNT0D PJUO/L6Blhq4rgEZx7kP0oufXmX62qj98J8krNrD7hQXJlYSzx6b3TqmXVoG/9+++ X-Google-Smtp-Source: APXvYqxMpkU45YjjHye4BvW4XwVJ0Rqb13a1Y7/HuYl9yOr/F5VCxzSPEZCoRp1trRd+VCZmSUoSZZnXfErG X-Received: by 2002:a0c:b204:: with SMTP id x4mr6986006qvd.17.1554152085587; Mon, 01 Apr 2019 13:54:45 -0700 (PDT) Date: Mon, 1 Apr 2019 13:54:41 -0700 Message-Id: <20190401205441.65245-1-connoro@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA From: "Connor O'Brien" To: stable@vger.kernel.org Cc: Jeremy Compostella , Wolfram Sang , stable@kernel.org, "Connor O'Brien" Content-Type: text/plain; charset="UTF-8" Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jeremy Compostella commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream. On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes data out of the msgbuf1 array boundary. It is possible from a user application to run into that issue by calling the I2C_SMBUS ioctl with data.block[0] greater than I2C_SMBUS_BLOCK_MAX + 1. This patch makes the code compliant with Documentation/i2c/dev-interface by raising an error when the requested size is larger than 32 bytes. Call Trace: [] dump_stack+0x67/0x92 [] panic+0xc5/0x1eb [] ? vprintk_default+0x1f/0x30 [] ? i2cdev_ioctl_smbus+0x303/0x320 [] __stack_chk_fail+0x1b/0x20 [] i2cdev_ioctl_smbus+0x303/0x320 [] i2cdev_ioctl+0x4d/0x1e0 [] do_vfs_ioctl+0x2ba/0x490 [] ? security_file_ioctl+0x43/0x60 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x12/0x6a Signed-off-by: Jeremy Compostella Signed-off-by: Wolfram Sang Cc: stable@kernel.org [connoro@google.com: 4.9 backport: adjust filename] Signed-off-by: Connor O'Brien --- drivers/i2c/i2c-core.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c index 7484aac1e14d..80d82c6792d8 100644 --- a/drivers/i2c/i2c-core.c +++ b/drivers/i2c/i2c-core.c @@ -3250,16 +3250,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, the underlying bus driver */ break; case I2C_SMBUS_I2C_BLOCK_DATA: + if (data->block[0] > I2C_SMBUS_BLOCK_MAX) { + dev_err(&adapter->dev, "Invalid block %s size %d\n", + read_write == I2C_SMBUS_READ ? "read" : "write", + data->block[0]); + return -EINVAL; + } if (read_write == I2C_SMBUS_READ) { msg[1].len = data->block[0]; } else { msg[0].len = data->block[0] + 1; - if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) { - dev_err(&adapter->dev, - "Invalid block write size %d\n", - data->block[0]); - return -EINVAL; - } for (i = 1; i <= data->block[0]; i++) msgbuf0[i] = data->block[i]; } -- 2.21.0.392.gf8f6787159e-goog