* [PATCH] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
@ 2022-07-29 9:34 Zheyu Ma
0 siblings, 0 replies; 5+ messages in thread
From: Zheyu Ma @ 2022-07-29 9:34 UTC (permalink / raw)
Cc: Zheyu Ma, linux-kernel
When the driver does not check the data from the user, the variable
'data->block[0]' may be very large to cause an out-of-bounds bug.
The following log can reveal it:
[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
[ 33.996475] ==================================================================
[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
[ 33.999450] Call Trace:
[ 34.001849] memcpy+0x20/0x60
[ 34.002077] ismt_access.cold+0x374/0x214b
[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
[ 34.004007] i2c_smbus_xfer+0x10a/0x390
[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
[ 34.005196] i2cdev_ioctl+0x5ec/0x74c
Fix this bug by checking the size of 'data->block[0]' first.
Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
drivers/i2c/busses/i2c-ismt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 6078fa0c0d48..63120c41354c 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -509,6 +509,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
if (read_write == I2C_SMBUS_WRITE) {
/* Block Write */
dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n");
+ if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
dma_size = data->block[0] + 1;
dma_direction = DMA_TO_DEVICE;
desc->wr_len_cmd = dma_size;
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
2022-07-29 11:02 Zheyu Ma
2022-09-08 17:22 ` Guenter Roeck
@ 2022-12-07 20:27 ` Wolfram Sang
1 sibling, 0 replies; 5+ messages in thread
From: Wolfram Sang @ 2022-12-07 20:27 UTC (permalink / raw)
To: Zheyu Ma
Cc: Seth Heasley, Neil Horman, Jean Delvare, Bill Brown,
Wolfram Sang, linux-i2c, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]
On Fri, Jul 29, 2022 at 07:02:16PM +0800, Zheyu Ma wrote:
> When the driver does not check the data from the user, the variable
> 'data->block[0]' may be very large to cause an out-of-bounds bug.
>
> The following log can reveal it:
>
> [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
> [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
> [ 33.996475] ==================================================================
> [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
> [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
> [ 33.999450] Call Trace:
> [ 34.001849] memcpy+0x20/0x60
> [ 34.002077] ismt_access.cold+0x374/0x214b
> [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
> [ 34.004007] i2c_smbus_xfer+0x10a/0x390
> [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
> [ 34.005196] i2cdev_ioctl+0x5ec/0x74c
>
> Fix this bug by checking the size of 'data->block[0]' first.
>
> Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
> Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Applied to for-next, thanks!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
2022-09-08 17:22 ` Guenter Roeck
@ 2022-09-08 21:11 ` Wolfram Sang
0 siblings, 0 replies; 5+ messages in thread
From: Wolfram Sang @ 2022-09-08 21:11 UTC (permalink / raw)
To: Guenter Roeck
Cc: Zheyu Ma, Seth Heasley, Neil Horman, Jean Delvare, Bill Brown,
Wolfram Sang, linux-i2c, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1480 bytes --]
On Thu, Sep 08, 2022 at 10:22:54AM -0700, Guenter Roeck wrote:
> On Fri, Jul 29, 2022 at 07:02:16PM +0800, Zheyu Ma wrote:
> > When the driver does not check the data from the user, the variable
> > 'data->block[0]' may be very large to cause an out-of-bounds bug.
> >
> > The following log can reveal it:
> >
> > [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
> > [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
> > [ 33.996475] ==================================================================
> > [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
> > [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
> > [ 33.999450] Call Trace:
> > [ 34.001849] memcpy+0x20/0x60
> > [ 34.002077] ismt_access.cold+0x374/0x214b
> > [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
> > [ 34.004007] i2c_smbus_xfer+0x10a/0x390
> > [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
> > [ 34.005196] i2cdev_ioctl+0x5ec/0x74c
> >
> > Fix this bug by checking the size of 'data->block[0]' first.
> >
> > Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
> > Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
>
> This patch has not been applied, and I don't see a response to it either.
> Is there a problem with it, or did it get lost ?
Seth is currently looking for a co-maintainer to assist him with this
driver.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
2022-07-29 11:02 Zheyu Ma
@ 2022-09-08 17:22 ` Guenter Roeck
2022-09-08 21:11 ` Wolfram Sang
2022-12-07 20:27 ` Wolfram Sang
1 sibling, 1 reply; 5+ messages in thread
From: Guenter Roeck @ 2022-09-08 17:22 UTC (permalink / raw)
To: Zheyu Ma
Cc: Seth Heasley, Neil Horman, Jean Delvare, Bill Brown,
Wolfram Sang, linux-i2c, linux-kernel
On Fri, Jul 29, 2022 at 07:02:16PM +0800, Zheyu Ma wrote:
> When the driver does not check the data from the user, the variable
> 'data->block[0]' may be very large to cause an out-of-bounds bug.
>
> The following log can reveal it:
>
> [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
> [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
> [ 33.996475] ==================================================================
> [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
> [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
> [ 33.999450] Call Trace:
> [ 34.001849] memcpy+0x20/0x60
> [ 34.002077] ismt_access.cold+0x374/0x214b
> [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
> [ 34.004007] i2c_smbus_xfer+0x10a/0x390
> [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
> [ 34.005196] i2cdev_ioctl+0x5ec/0x74c
>
> Fix this bug by checking the size of 'data->block[0]' first.
>
> Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
> Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
This patch has not been applied, and I don't see a response to it either.
Is there a problem with it, or did it get lost ?
Thanks,
Guenter
> ---
> drivers/i2c/busses/i2c-ismt.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
> index 6078fa0c0d48..63120c41354c 100644
> --- a/drivers/i2c/busses/i2c-ismt.c
> +++ b/drivers/i2c/busses/i2c-ismt.c
> @@ -509,6 +509,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
> if (read_write == I2C_SMBUS_WRITE) {
> /* Block Write */
> dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n");
> + if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
> + return -EINVAL;
> +
> dma_size = data->block[0] + 1;
> dma_direction = DMA_TO_DEVICE;
> desc->wr_len_cmd = dma_size;
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
@ 2022-07-29 11:02 Zheyu Ma
2022-09-08 17:22 ` Guenter Roeck
2022-12-07 20:27 ` Wolfram Sang
0 siblings, 2 replies; 5+ messages in thread
From: Zheyu Ma @ 2022-07-29 11:02 UTC (permalink / raw)
To: Seth Heasley, Neil Horman, Jean Delvare, Bill Brown, Wolfram Sang
Cc: Zheyu Ma, linux-i2c, linux-kernel
When the driver does not check the data from the user, the variable
'data->block[0]' may be very large to cause an out-of-bounds bug.
The following log can reveal it:
[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
[ 33.996475] ==================================================================
[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
[ 33.999450] Call Trace:
[ 34.001849] memcpy+0x20/0x60
[ 34.002077] ismt_access.cold+0x374/0x214b
[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
[ 34.004007] i2c_smbus_xfer+0x10a/0x390
[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
[ 34.005196] i2cdev_ioctl+0x5ec/0x74c
Fix this bug by checking the size of 'data->block[0]' first.
Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
drivers/i2c/busses/i2c-ismt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 6078fa0c0d48..63120c41354c 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -509,6 +509,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
if (read_write == I2C_SMBUS_WRITE) {
/* Block Write */
dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n");
+ if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
dma_size = data->block[0] + 1;
dma_direction = DMA_TO_DEVICE;
desc->wr_len_cmd = dma_size;
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-12-07 20:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-29 9:34 [PATCH] i2c: ismt: Fix an out-of-bounds bug in ismt_access() Zheyu Ma
2022-07-29 11:02 Zheyu Ma
2022-09-08 17:22 ` Guenter Roeck
2022-09-08 21:11 ` Wolfram Sang
2022-12-07 20:27 ` Wolfram Sang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).