Received: by 10.223.176.46 with SMTP id f43csp2650051wra; Mon, 22 Jan 2018 00:53:41 -0800 (PST) X-Google-Smtp-Source: AH8x226SPPWKsYvarIHMDrPX27QAJeUHZ70h075ZM+gEu6BwNqP63Lb4uDMC7I6JCNpvSZZ4sTXZ X-Received: by 10.98.6.130 with SMTP id 124mr7847994pfg.117.1516611221509; Mon, 22 Jan 2018 00:53:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516611221; cv=none; d=google.com; s=arc-20160816; b=DmLCZBBDQesTkQfR7ViVtzh8+wAYuysYwFPj6JxwkafDDz/3x8liJwfdeeb92jRS0A QriZC7sCWcAd6FjvZp6PF5LoCH6+HaBRoAVy1EP1YP/FY+n63WawKLQp8UMoe5HSUvQ0 Nj11Ui/fiFTfTUXHi8B6RQIm9mHcBWffhNhefsL2ZHv889H0W/gY36N4DK8bdLBZLBYY odm+Y7/bP7ZHyze11jio+7PJkHrexs+kSjeoIBV7hV4D4HO+tqug6Ts/ATnITpP1eg1T LVPG8hxpAP8jWnT60TOHdwVoR/jhutdwAq84IPjGBOySMESMqCJ96dIQyH+4smlF6bu/ 63XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=0Qe91BG39zHTh+M0RL35C6NuRtZRb6TOAyd3+qV4IBg=; b=pNzO492bbJ9EuSkh1j+srC+ZsEwhWrmJJn7TgZdBlcuCghQF7mrT6M8+r38UBq5vlT ihmeOTY8tKA8b5Ce5iaUl5t0+VJOKVYsOTtUCDJg76b+Om+XG3sN4pNyStQxwzRfzoNO /BLkAD8/JiGgmB1cA7fiqYBxicWkemJUWkxDBHUqFvXbAIkTuQ4saIchSe9cd5X7nR5v 2zstZx/2PXTJXUICQK8JYNza/DHn3Yz+m+d5GepOiTCgHEz8rCzWfh8bBvSOgNH2QCrG k1szN84THBKO57CWnDaDAINn0ezpoQiCdBMJOsWHZPHxaZtJPnj/A66NBeG/Z3bYX68u jZsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n4si15123169pfb.23.2018.01.22.00.53.27; Mon, 22 Jan 2018 00:53:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753464AbeAVIxB (ORCPT + 99 others); Mon, 22 Jan 2018 03:53:01 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:33838 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752607AbeAVIw6 (ORCPT ); Mon, 22 Jan 2018 03:52:58 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A2B00F00; Mon, 22 Jan 2018 08:52:57 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jeremy Compostella , Wolfram Sang Subject: [PATCH 4.14 63/89] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Date: Mon, 22 Jan 2018 09:45:43 +0100 Message-Id: <20180122084000.894059946@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083954.683903493@linuxfoundation.org> References: <20180122083954.683903493@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jeremy Compostella commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream. On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes data out of the msgbuf1 array boundary. It is possible from a user application to run into that issue by calling the I2C_SMBUS ioctl with data.block[0] greater than I2C_SMBUS_BLOCK_MAX + 1. This patch makes the code compliant with Documentation/i2c/dev-interface by raising an error when the requested size is larger than 32 bytes. Call Trace: [] dump_stack+0x67/0x92 [] panic+0xc5/0x1eb [] ? vprintk_default+0x1f/0x30 [] ? i2cdev_ioctl_smbus+0x303/0x320 [] __stack_chk_fail+0x1b/0x20 [] i2cdev_ioctl_smbus+0x303/0x320 [] i2cdev_ioctl+0x4d/0x1e0 [] do_vfs_ioctl+0x2ba/0x490 [] ? security_file_ioctl+0x43/0x60 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x12/0x6a Signed-off-by: Jeremy Compostella Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman --- drivers/i2c/i2c-core-smbus.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -396,16 +396,17 @@ static s32 i2c_smbus_xfer_emulated(struc the underlying bus driver */ break; case I2C_SMBUS_I2C_BLOCK_DATA: + if (data->block[0] > I2C_SMBUS_BLOCK_MAX) { + dev_err(&adapter->dev, "Invalid block %s size %d\n", + read_write == I2C_SMBUS_READ ? "read" : "write", + data->block[0]); + return -EINVAL; + } + if (read_write == I2C_SMBUS_READ) { msg[1].len = data->block[0]; } else { msg[0].len = data->block[0] + 1; - if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) { - dev_err(&adapter->dev, - "Invalid block write size %d\n", - data->block[0]); - return -EINVAL; - } for (i = 1; i <= data->block[0]; i++) msgbuf0[i] = data->block[i]; }