* [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
@ 2019-04-01 20:54 Connor O'Brien
2019-04-03 14:06 ` Greg KH
0 siblings, 1 reply; 7+ messages in thread
From: Connor O'Brien @ 2019-04-01 20:54 UTC (permalink / raw)
To: stable; +Cc: Jeremy Compostella, Wolfram Sang, stable, Connor O'Brien
From: Jeremy Compostella <jeremy.compostella@intel.com>
commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.
On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.
It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.
This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.
Call Trace:
[<ffffffff8139f695>] dump_stack+0x67/0x92
[<ffffffff811802a4>] panic+0xc5/0x1eb
[<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
[<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
[<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
[<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
[<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
[<ffffffff811f7869>] SyS_ioctl+0x79/0x90
[<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
[connoro@google.com: 4.9 backport: adjust filename]
Signed-off-by: Connor O'Brien <connoro@google.com>
---
drivers/i2c/i2c-core.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
index 7484aac1e14d..80d82c6792d8 100644
--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -3250,16 +3250,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
the underlying bus driver */
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
+ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev, "Invalid block %s size %d\n",
+ read_write == I2C_SMBUS_READ ? "read" : "write",
+ data->block[0]);
+ return -EINVAL;
+ }
if (read_write == I2C_SMBUS_READ) {
msg[1].len = data->block[0];
} else {
msg[0].len = data->block[0] + 1;
- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
- dev_err(&adapter->dev,
- "Invalid block write size %d\n",
- data->block[0]);
- return -EINVAL;
- }
for (i = 1; i <= data->block[0]; i++)
msgbuf0[i] = data->block[i];
}
--
2.21.0.392.gf8f6787159e-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
2019-04-01 20:54 [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Connor O'Brien
@ 2019-04-03 14:06 ` Greg KH
0 siblings, 0 replies; 7+ messages in thread
From: Greg KH @ 2019-04-03 14:06 UTC (permalink / raw)
To: Connor O'Brien; +Cc: stable, Jeremy Compostella, Wolfram Sang, stable
On Mon, Apr 01, 2019 at 01:54:41PM -0700, Connor O'Brien wrote:
> From: Jeremy Compostella <jeremy.compostella@intel.com>
>
> commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.
>
> On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
> greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
> data out of the msgbuf1 array boundary.
>
> It is possible from a user application to run into that issue by
> calling the I2C_SMBUS ioctl with data.block[0] greater than
> I2C_SMBUS_BLOCK_MAX + 1.
>
> This patch makes the code compliant with
> Documentation/i2c/dev-interface by raising an error when the requested
> size is larger than 32 bytes.
>
> Call Trace:
> [<ffffffff8139f695>] dump_stack+0x67/0x92
> [<ffffffff811802a4>] panic+0xc5/0x1eb
> [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
> [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
> [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
> [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
> [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
> [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
> [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
> [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
> [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
>
> Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
> Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
> Cc: stable@kernel.org
> [connoro@google.com: 4.9 backport: adjust filename]
> Signed-off-by: Connor O'Brien <connoro@google.com>
> ---
> drivers/i2c/i2c-core.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
Thanks for these, now applied.
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
@ 2019-04-01 20:54 Connor O'Brien
0 siblings, 0 replies; 7+ messages in thread
From: Connor O'Brien @ 2019-04-01 20:54 UTC (permalink / raw)
To: stable; +Cc: Jeremy Compostella, Wolfram Sang, stable, Connor O'Brien
From: Jeremy Compostella <jeremy.compostella@intel.com>
commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.
On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.
It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.
This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.
Call Trace:
[<ffffffff8139f695>] dump_stack+0x67/0x92
[<ffffffff811802a4>] panic+0xc5/0x1eb
[<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
[<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
[<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
[<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
[<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
[<ffffffff811f7869>] SyS_ioctl+0x79/0x90
[<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
[connoro@google.com: 4.4 backport: adjust filename]
Signed-off-by: Connor O'Brien <connoro@google.com>
---
drivers/i2c/i2c-core.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
index e4587411b447..153376009b46 100644
--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -2936,16 +2936,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
the underlying bus driver */
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
+ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev, "Invalid block %s size %d\n",
+ read_write == I2C_SMBUS_READ ? "read" : "write",
+ data->block[0]);
+ return -EINVAL;
+ }
if (read_write == I2C_SMBUS_READ) {
msg[1].len = data->block[0];
} else {
msg[0].len = data->block[0] + 1;
- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
- dev_err(&adapter->dev,
- "Invalid block write size %d\n",
- data->block[0]);
- return -EINVAL;
- }
for (i = 1; i <= data->block[0]; i++)
msgbuf0[i] = data->block[i];
}
--
2.21.0.392.gf8f6787159e-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
@ 2019-04-01 20:54 Connor O'Brien
0 siblings, 0 replies; 7+ messages in thread
From: Connor O'Brien @ 2019-04-01 20:54 UTC (permalink / raw)
To: stable; +Cc: Jeremy Compostella, Wolfram Sang, stable, Connor O'Brien
From: Jeremy Compostella <jeremy.compostella@intel.com>
commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.
On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.
It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.
This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.
Call Trace:
[<ffffffff8139f695>] dump_stack+0x67/0x92
[<ffffffff811802a4>] panic+0xc5/0x1eb
[<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
[<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
[<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
[<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
[<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
[<ffffffff811f7869>] SyS_ioctl+0x79/0x90
[<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
[connoro@google.com: 3.18 backport: adjust filename]
Signed-off-by: Connor O'Brien <connoro@google.com>
---
drivers/i2c/i2c-core.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
index 7bd1b5cfb8d1..bb4b76f44fc9 100644
--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -2762,16 +2762,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
the underlying bus driver */
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
+ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev, "Invalid block %s size %d\n",
+ read_write == I2C_SMBUS_READ ? "read" : "write",
+ data->block[0]);
+ return -EINVAL;
+ }
if (read_write == I2C_SMBUS_READ) {
msg[1].len = data->block[0];
} else {
msg[0].len = data->block[0] + 1;
- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
- dev_err(&adapter->dev,
- "Invalid block write size %d\n",
- data->block[0]);
- return -EINVAL;
- }
for (i = 1; i <= data->block[0]; i++)
msgbuf0[i] = data->block[i];
}
--
2.21.0.392.gf8f6787159e-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
2017-11-27 18:38 ` Wolfram Sang
@ 2017-11-27 19:14 ` Compostella, Jeremy
0 siblings, 0 replies; 7+ messages in thread
From: Compostella, Jeremy @ 2017-11-27 19:14 UTC (permalink / raw)
To: Wolfram Sang; +Cc: linux-i2c
Wolfram Sang <wsa@the-dreams.de> writes:
> On Wed, Nov 15, 2017 at 12:54:09PM -0700, Compostella, Jeremy wrote:
> > On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
> > greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
> > data out of the msgbuf1 boundary.
> >
> > It is possible from a user application to run into that issue by call
> > the I2C_SMBUS ioctl with data.block[0] greater than
> > I2C_SMBUS_BLOCK_MAX + 1.
> From Documentation/i2c/dev-interface:
> ioctl(file, I2C_SMBUS, struct i2c_smbus_ioctl_data *args)
> Not meant to be called directly; instead, use the access functions
> below.
> Maybe we should add this info to the include file as well?
> But I guess we still shouldn't OOPS on this misuse...
I read that part of the documentation too. But still, I really think
this is an issue as there should not exist a so easy to corrupt the
Kernel stack.
Thanks,
Jeremy
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
2017-11-15 19:54 Compostella, Jeremy
@ 2017-11-27 18:38 ` Wolfram Sang
2017-11-27 19:14 ` Compostella, Jeremy
0 siblings, 1 reply; 7+ messages in thread
From: Wolfram Sang @ 2017-11-27 18:38 UTC (permalink / raw)
To: Compostella, Jeremy; +Cc: linux-i2c
[-- Attachment #1: Type: text/plain, Size: 765 bytes --]
On Wed, Nov 15, 2017 at 12:54:09PM -0700, Compostella, Jeremy wrote:
> On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
> greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
> data out of the msgbuf1 boundary.
>
> It is possible from a user application to run into that issue by call
> the I2C_SMBUS ioctl with data.block[0] greater than
> I2C_SMBUS_BLOCK_MAX + 1.
From Documentation/i2c/dev-interface:
ioctl(file, I2C_SMBUS, struct i2c_smbus_ioctl_data *args)
Not meant to be called directly; instead, use the access functions
below.
Maybe we should add this info to the include file as well?
But I guess we still shouldn't OOPS on this misuse...
Will think about it...
Regards,
Wolfram
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
@ 2017-11-15 19:54 Compostella, Jeremy
2017-11-27 18:38 ` Wolfram Sang
0 siblings, 1 reply; 7+ messages in thread
From: Compostella, Jeremy @ 2017-11-15 19:54 UTC (permalink / raw)
To: Wolfram Sang; +Cc: linux-i2c
On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 boundary.
It is possible from a user application to run into that issue by call
the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.
Call Trace:
[<ffffffff8139f695>] dump_stack+0x67/0x92
[<ffffffff811802a4>] panic+0xc5/0x1eb
[<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
[<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
[<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
[<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
[<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
[<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
[<ffffffff811f7869>] SyS_ioctl+0x79/0x90
[<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
---
drivers/i2c/i2c-core-smbus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
index 10f00a8..f0be621 100644
--- a/drivers/i2c/i2c-core-smbus.c
+++ b/drivers/i2c/i2c-core-smbus.c
@@ -398,6 +398,12 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
case I2C_SMBUS_I2C_BLOCK_DATA:
if (read_write == I2C_SMBUS_READ) {
msg[1].len = data->block[0];
+ if (msg[1].len > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev,
+ "Invalid block read size %d\n",
+ data->block[0]);
+ return -EINVAL;
+ }
} else {
msg[0].len = data->block[0] + 1;
if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
--
2.9.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-04-03 14:06 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-01 20:54 [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Connor O'Brien
2019-04-03 14:06 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2019-04-01 20:54 Connor O'Brien
2019-04-01 20:54 Connor O'Brien
2017-11-15 19:54 Compostella, Jeremy
2017-11-27 18:38 ` Wolfram Sang
2017-11-27 19:14 ` Compostella, Jeremy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.