Received: by 10.192.165.148 with SMTP id m20csp634007imm; Fri, 27 Apr 2018 05:08:27 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp8LNcRmpVaG3ou7ptBVuHWLN5RpuksdRfZS1i4TTp2H5R7HPPZSV2stMzLaAosp5JuDTnb X-Received: by 2002:a17:902:6b8b:: with SMTP id p11-v6mr2073142plk.212.1524830906945; Fri, 27 Apr 2018 05:08:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524830906; cv=none; d=google.com; s=arc-20160816; b=m2GnShpSrVj/x+kIhNE8GcCZDZHcleldLSCxkBf5IsRGcPAarQsQ9DoXx47EMKBYIq k+1rQa8BgklgST5DyHh8KhDke3LbGiEtS9gP0w79fdaLK9dGCOZeb2mq4MZHuqy3VOKt nDBwr9dtV3LXFc48bylsJq4Tjq8KeOSutR3cla4TH9TM/4NowVQIGlh5tESYHV7sUJQv Gaevg0VIzLKeBqizchpRz1yuKm8n0kYbaC3QluLkH9xroK7bCY70acZlwiMLMtq51Hvn 9eoJcBgkiBITAKeFsUvki54j3RkGZbRMPjYYK8Vs5Sh2CA3/AhyuJ3yDGst5l+sBPOgX JiKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=ZwlRHecZnsdniHXG62JbwLThF4+8O+bqZBOCk3yY+eg=; b=P6aICqyZVvBM7OmiwIQ1WiAaRnZdCaGCGXbqzfxbq9UF4cxBiDMHVJG/faztCxU6VD 1NkxxxeKrrwI9xgaNE7N04Zi247xzef8LfvlV7fBFwMxwcTw0Up2waJeRy0XQTodC9bo IAXAXrHG/IRTAYiDkQr1+66y4lbf+iFw7PFtqipVVlksDtn2l9L0oDb6L5eoOTC9vqhN 8uBsT4vxW9Ne3rm10rstka8nMPnHyTHDrWHZcLZ67ayID8lF/0jQJk6MMUcAa1ikeyj4 oImUbWzQeH/Enfdlt1wrazl6uf0fVG9Clm20G2Cvt6i1+xEhk7fKUG+mg/Nf5HTQQzFA pFkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l4-v6si1120100pgn.54.2018.04.27.05.08.11; Fri, 27 Apr 2018 05:08:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757985AbeD0MHC (ORCPT + 99 others); Fri, 27 Apr 2018 08:07:02 -0400 Received: from sauhun.de ([88.99.104.3]:48740 "EHLO pokefinder.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757805AbeD0MHB (ORCPT ); Fri, 27 Apr 2018 08:07:01 -0400 Received: from localhost (p54B3385F.dip0.t-ipconnect.de [84.179.56.95]) by pokefinder.org (Postfix) with ESMTPSA id 49F4032475D; Fri, 27 Apr 2018 14:06:59 +0200 (CEST) Date: Fri, 27 Apr 2018 14:06:58 +0200 From: Wolfram Sang To: Alexander Popov Cc: Uwe =?utf-8?Q?Kleine-K=C3=B6nig?= , linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org, sil2review@lists.osadl.org, Dmitry Vyukov , syzkaller@googlegroups.com Subject: Re: [v2 1/1] i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() Message-ID: <20180427120658.wi32f7margtfazzp@ninjato> References: <1524140962-25639-1-git-send-email-alex.popov@linux.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="cil4o76td5xr644s" Content-Disposition: inline In-Reply-To: <1524140962-25639-1-git-send-email-alex.popov@linux.com> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --cil4o76td5xr644s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2018 at 03:29:22PM +0300, Alexander Popov wrote: > i2cdev_ioctl_rdwr() allocates i2c_msg.buf using memdup_user(), which > returns ZERO_SIZE_PTR if i2c_msg.len is zero. >=20 > Currently i2cdev_ioctl_rdwr() always dereferences the buf pointer in case > of I2C_M_RD | I2C_M_RECV_LEN transfer. That causes a kernel oops in > case of zero len. >=20 > Let's check the len against zero before dereferencing buf pointer. >=20 > This issue was triggered by syzkaller. >=20 > Signed-off-by: Alexander Popov Applied to for-current with the arithmetic expression changed to '< 1' to keep in sync with the previous one. Will push out soon, so you can double check if you are interested. Thanks for the debugging, Alexander! --cil4o76td5xr644s Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAlrjEl4ACgkQFA3kzBSg KbY65w/7BYlvSUKh16QpzYUCT6TSbRLnsqURdqNSN8iDZ1RdyBdDC6rsYnN5uYOk QgB9bFQs1rMcVX1DLV/+mdI06jnqJsmqQfQq6y7PFwn24qrAOR2/uAFX9t1LFuzg xFPGn6oq1CEZUZP6/J851SEPbAKvA8J2HiC7Qf3UL2662FEz4Q1Ev0bMKwJ9CKMi 9lUybfB2HhPYxBV+FAhicESq8lRwYdpYQ+xE+xe0tMRE6yJ4XblXylgxfXJfA3hR xUJCM6N3Xz/LICAzzF2GkCuRxFoRqpJVOxticwZG//ja0on0c6y1WJK86AatTVai rxBU9p4mTTudoyyVENWp60FCSCVoOmh0QUpMEtWddz0LOSUaT3208fjnXTZbAliC K2nkg3pkndU9S6ABRvkq/gHmpNV6qlSklnTMT3jhWZ/Ie4RiVUIHsAJvZO/vP3q8 XbgZf65pIffGJppRcJFkBuJRmzCOfnvl7rsMykQjxVUCO828ww38Du/B31kfJ8w8 mL5QXXPaSeTsbhhQjIl+WIu9Dl0qmUkrdVMSuigJG2t6aZ5HgQhrwoqr5P2GThNP q6m1IL7tA9NgfiydvdL0Ku7Dz6gQTSMpuuv6rFqe4p2OS1/8GPj6yXy6W6KIUXI8 hse8kHpoQHccQ6ZrK74823PWYcF+SA9UWEqZF+s5eSZKTQ2bgBM= =4HXa -----END PGP SIGNATURE----- --cil4o76td5xr644s--