Received: by 10.192.165.156 with SMTP id m28csp648091imm;
        Tue, 17 Apr 2018 17:18:34 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4//o6xVwMO97iDxyTFDuI8k7WrpJMb81oQny3jBNgslL49cMAIylcEVotSPuP/y164LkSkH
X-Received: by 2002:a17:902:2863:: with SMTP id e90-v6mr3908859plb.58.1524010713959;
        Tue, 17 Apr 2018 17:18:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524010713; cv=none;
        d=google.com; s=arc-20160816;
        b=W7UpDiiAG9OQhTFfDUcF0/pLubYQULEtxRQTJK7yuy+WY9oRvHtX3C16PuI03biNkd
         FLaDXaSEesEjmVga0hj0kr75/KOkYErbMiCzDS5K8XqjI0aX9l3ThMdLS0ahXcKDjdJD
         mZjVPQ5+tjhZ7tOxJJ7hggEyVMIb7kwcdMDr2V09OsvraYG1GeDsnaNcAXxcdNgDaJO3
         T8fV6o4ROLZn5fCuR3Cco2JMpkZXU+ExHcHVB4ZutBrWlvFhxTwLEaUBR90ZZkS08/ct
         Ga56WuewTVuD7VTOXQqZlhk1Jveutof9tYBB1Teb1Z4+jyXC5rnq4/C2Fx8TyGZ0ajFi
         Y21A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:to:from
         :arc-authentication-results;
        bh=AA8gsOMHKSLZsdtOUhVJSJ95hAKssXHHyy1LaqVIAAQ=;
        b=xMq4c7afH5B8J2RV9TTqTcAz/iBi5mhRHw5oOqKTdVKfjDZLthHX9//ITXDdUrsRyb
         OqLwQwO4EbYE2zGyR3GKPwZuj7+UlsOF2lQFOsxKrYWQK1ttZ2WNS7nS+fDNnCUc5yh3
         GGvzso06TLSVPVdiYfGSxoEuSOuPwjrashUpubiBfUYrmvZiVrEg/TtJSXfk0q3ngxQL
         I0z2xldISYLwtEbaGIlpv8l6BAd+lhSlYFq79AE1nXHDfqov9xwr6iaHqtyY5D4hU9wA
         TF/60u3NUyvn0QxrhauTL0OQTycpBrZ0PF0HfeWSH+JQZ/5udS9G9LUrQQ9mT/YbhO37
         lw3g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w14si4651505pgc.633.2018.04.17.17.18.18;
        Tue, 17 Apr 2018 17:18:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752800AbeDRARH (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 20:17:07 -0400
Received: from mail-wr0-f194.google.com ([209.85.128.194]:41130 "EHLO
        mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751878AbeDRARG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 20:17:06 -0400
Received: by mail-wr0-f194.google.com with SMTP id v24so22992135wra.8;
        Tue, 17 Apr 2018 17:17:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id;
        bh=AA8gsOMHKSLZsdtOUhVJSJ95hAKssXHHyy1LaqVIAAQ=;
        b=fif9NCA3aQZLUqRppjHjW4rnA2SqJ67oT2+yS7Fn+3FLd+zNZLnrde3PH5cj4w89+/
         Ag3zHcoLiD81yYXIrbA0PlXgzhsiZAkt/kY6xIKta27ASHfKlBCwXWn36w07eL+kphj8
         7OICJhnFeDIxcyvF04+JZyrB3OpQ2id9ko+HYk58Y4tD8PFgu5/df7TXdO8MTIM9FQaW
         wfAoswwWh1HH3MIqazyK5hGoODpAKrsZLEW0/E1hrRLO4q3dnXqiH+HwTsMlPXMa3Kuz
         fJOmWjxTMjs3ehCzuwv9JZRuC8VOgEQWnibd2UWagl5nxptzBinkxB8+uAeZi/4LqDfS
         bBGQ==
X-Gm-Message-State: ALQs6tAmyqob894ED1fs/O522bfmqLFgt3eubSB7u8dRpTuqtYWjsK6d
        +iR3wEU78Jt8j1S0mm6qT8OtsT7f
X-Received: by 10.223.149.70 with SMTP id 64mr2963350wrs.223.1524010625334;
        Tue, 17 Apr 2018 17:17:05 -0700 (PDT)
Received: from hobbit.my-cloud.eu ([46.166.128.205])
        by smtp.gmail.com with ESMTPSA id l73sm553356wma.10.2018.04.17.17.17.00
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 17 Apr 2018 17:17:04 -0700 (PDT)
From:   Alexander Popov <alex.popov@linux.com>
To:     Wolfram Sang <wsa@the-dreams.de>, linux-i2c@vger.kernel.org,
        linux-kernel@vger.kernel.org, sil2review@lists.osadl.org,
        Dmitry Vyukov <dvyukov@google.com>,
        Alexander Popov <alex.popov@linux.com>
Subject: [PATCH 1/1] i2c: dev: check i2c_msg len before memdup_user() to prevent ZERO_SIZE_PTR deref
Date:   Wed, 18 Apr 2018 03:16:45 +0300
Message-Id: <1524010605-21552-1-git-send-email-alex.popov@linux.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Currently i2cdev_ioctl_rdwr() doesn't check i2c_msg len against zero
before calling memdup_user(). If this len is zero memdup_user() returns
ZERO_SIZE_PTR, which is later considered as valid since
IS_ERR(ZERO_SIZE_PTR) is false. That causes ZERO_SIZE_PTR deref oops.

Let's check i2c_msg len against zero before calling memdup_user().

This issue was triggered by syzkaller.

Signed-off-by: Alexander Popov <alex.popov@linux.com>
---
 drivers/i2c/i2c-dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 036a03f..b9b6715 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -252,8 +252,8 @@ static noinline int i2cdev_ioctl_rdwr(struct i2c_client *client,
 
 	res = 0;
 	for (i = 0; i < nmsgs; i++) {
-		/* Limit the size of the message to a sane amount */
-		if (msgs[i].len > 8192) {
+		/* Check that the size is sane */
+		if (!msgs[i].len || msgs[i].len > 8192) {
 			res = -EINVAL;
 			break;
 		}
-- 
2.7.4