[PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[Connor O'Brien]

From: Jeremy Compostella <jeremy.compostella@intel.com>

commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.

On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.

It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.

This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.

Call Trace:
 [<ffffffff8139f695>] dump_stack+0x67/0x92
 [<ffffffff811802a4>] panic+0xc5/0x1eb
 [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
 [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
 [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
 [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
 [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
 [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
 [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
[connoro@google.com: 4.9 backport: adjust filename]
Signed-off-by: Connor O'Brien <connoro@google.com>
---
 drivers/i2c/i2c-core.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
index 7484aac1e14d..80d82c6792d8 100644
--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -3250,16 +3250,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
 				   the underlying bus driver */
 		break;
 	case I2C_SMBUS_I2C_BLOCK_DATA:
+		if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+			dev_err(&adapter->dev, "Invalid block %s size %d\n",
+				read_write == I2C_SMBUS_READ ? "read" : "write",
+				data->block[0]);
+			return -EINVAL;
+		}
 		if (read_write == I2C_SMBUS_READ) {
 			msg[1].len = data->block[0];
 		} else {
 			msg[0].len = data->block[0] + 1;
-			if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
-				dev_err(&adapter->dev,
-					"Invalid block write size %d\n",
-					data->block[0]);
-				return -EINVAL;
-			}
 			for (i = 1; i <= data->block[0]; i++)
 				msgbuf0[i] = data->block[i];
 		}
-- 
2.21.0.392.gf8f6787159e-goog

Re: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[Greg KH]

On Mon, Apr 01, 2019 at 01:54:41PM -0700, Connor O'Brien wrote:
> From: Jeremy Compostella <jeremy.compostella@intel.com>
> 
> commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.
> 
> On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
> greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
> data out of the msgbuf1 array boundary.
> 
> It is possible from a user application to run into that issue by
> calling the I2C_SMBUS ioctl with data.block[0] greater than
> I2C_SMBUS_BLOCK_MAX + 1.
> 
> This patch makes the code compliant with
> Documentation/i2c/dev-interface by raising an error when the requested
> size is larger than 32 bytes.
> 
> Call Trace:
>  [<ffffffff8139f695>] dump_stack+0x67/0x92
>  [<ffffffff811802a4>] panic+0xc5/0x1eb
>  [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
>  [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
>  [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
>  [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
>  [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
>  [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
>  [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
>  [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
>  [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
> 
> Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
> Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
> Cc: stable@kernel.org
> [connoro@google.com: 4.9 backport: adjust filename]
> Signed-off-by: Connor O'Brien <connoro@google.com>
> ---
>  drivers/i2c/i2c-core.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)

Thanks for these, now applied.

greg k-h

[PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[Connor O'Brien]

From: Jeremy Compostella <jeremy.compostella@intel.com>

commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.

On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.

It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.

This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.

Call Trace:
 [<ffffffff8139f695>] dump_stack+0x67/0x92
 [<ffffffff811802a4>] panic+0xc5/0x1eb
 [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
 [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
 [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
 [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
 [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
 [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
 [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
[connoro@google.com: 4.4 backport: adjust filename]
Signed-off-by: Connor O'Brien <connoro@google.com>
---
 drivers/i2c/i2c-core.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
index e4587411b447..153376009b46 100644
--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -2936,16 +2936,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
 				   the underlying bus driver */
 		break;
 	case I2C_SMBUS_I2C_BLOCK_DATA:
+		if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+			dev_err(&adapter->dev, "Invalid block %s size %d\n",
+				read_write == I2C_SMBUS_READ ? "read" : "write",
+				data->block[0]);
+			return -EINVAL;
+		}
 		if (read_write == I2C_SMBUS_READ) {
 			msg[1].len = data->block[0];
 		} else {
 			msg[0].len = data->block[0] + 1;
-			if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
-				dev_err(&adapter->dev,
-					"Invalid block write size %d\n",
-					data->block[0]);
-				return -EINVAL;
-			}
 			for (i = 1; i <= data->block[0]; i++)
 				msgbuf0[i] = data->block[i];
 		}
-- 
2.21.0.392.gf8f6787159e-goog

[PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[Connor O'Brien]

From: Jeremy Compostella <jeremy.compostella@intel.com>

commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.

On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.

It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.

This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.

Call Trace:
 [<ffffffff8139f695>] dump_stack+0x67/0x92
 [<ffffffff811802a4>] panic+0xc5/0x1eb
 [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
 [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
 [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
 [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
 [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
 [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
 [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
[connoro@google.com: 3.18 backport: adjust filename]
Signed-off-by: Connor O'Brien <connoro@google.com>
---
 drivers/i2c/i2c-core.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
index 7bd1b5cfb8d1..bb4b76f44fc9 100644
--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -2762,16 +2762,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
 				   the underlying bus driver */
 		break;
 	case I2C_SMBUS_I2C_BLOCK_DATA:
+		if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+			dev_err(&adapter->dev, "Invalid block %s size %d\n",
+				read_write == I2C_SMBUS_READ ? "read" : "write",
+				data->block[0]);
+			return -EINVAL;
+		}
 		if (read_write == I2C_SMBUS_READ) {
 			msg[1].len = data->block[0];
 		} else {
 			msg[0].len = data->block[0] + 1;
-			if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
-				dev_err(&adapter->dev,
-					"Invalid block write size %d\n",
-					data->block[0]);
-				return -EINVAL;
-			}
 			for (i = 1; i <= data->block[0]; i++)
 				msgbuf0[i] = data->block[i];
 		}
-- 
2.21.0.392.gf8f6787159e-goog

Re: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[Compostella, Jeremy]

Wolfram Sang <wsa@the-dreams.de> writes:

> On Wed, Nov 15, 2017 at 12:54:09PM -0700, Compostella, Jeremy wrote:
> > On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
> > greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
> > data out of the msgbuf1 boundary.
> > 
> > It is possible from a user application to run into that issue by call
> > the I2C_SMBUS ioctl with data.block[0] greater than
> > I2C_SMBUS_BLOCK_MAX + 1.

> From Documentation/i2c/dev-interface:

> ioctl(file, I2C_SMBUS, struct i2c_smbus_ioctl_data *args)
>   Not meant to be called  directly; instead, use the access functions
>   below.
> Maybe we should add this info to the include file as well?
> But I guess we still shouldn't OOPS on this misuse...

I read that part of the documentation too.  But still, I really think
this is an issue as there should not exist a so easy to corrupt the
Kernel stack.

Thanks,

Jeremy

Re: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[Wolfram Sang]

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

On Wed, Nov 15, 2017 at 12:54:09PM -0700, Compostella, Jeremy wrote:
> On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
> greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
> data out of the msgbuf1 boundary.
> 
> It is possible from a user application to run into that issue by call
> the I2C_SMBUS ioctl with data.block[0] greater than
> I2C_SMBUS_BLOCK_MAX + 1.

From Documentation/i2c/dev-interface:

ioctl(file, I2C_SMBUS, struct i2c_smbus_ioctl_data *args)
  Not meant to be called  directly; instead, use the access functions
  below.

Maybe we should add this info to the include file as well?

But I guess we still shouldn't OOPS on this misuse...

Will think about it...

Regards,

   Wolfram


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

[Compostella, Jeremy]

On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 boundary.

It is possible from a user application to run into that issue by call
the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.

Call Trace:
 [<ffffffff8139f695>] dump_stack+0x67/0x92
 [<ffffffff811802a4>] panic+0xc5/0x1eb
 [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
 [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
 [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
 [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
 [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
 [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
 [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
---
 drivers/i2c/i2c-core-smbus.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
index 10f00a8..f0be621 100644
--- a/drivers/i2c/i2c-core-smbus.c
+++ b/drivers/i2c/i2c-core-smbus.c
@@ -398,6 +398,12 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
 	case I2C_SMBUS_I2C_BLOCK_DATA:
 		if (read_write == I2C_SMBUS_READ) {
 			msg[1].len = data->block[0];
+			if (msg[1].len > I2C_SMBUS_BLOCK_MAX) {
+				dev_err(&adapter->dev,
+					"Invalid block read size %d\n",
+					data->block[0]);
+				return -EINVAL;
+			}
 		} else {
 			msg[0].len = data->block[0] + 1;
 			if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
-- 
2.9.4