Received: by 10.192.165.148 with SMTP id m20csp3416158imm; Sun, 29 Apr 2018 22:55:38 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoZEz8R79ayzHe4FueolvpUNN3Ma1g0CUKLU6WDcgG4LeOCL7oqRNJKmDxvU1GdRJV8P4fz X-Received: by 2002:a17:902:6c07:: with SMTP id q7-v6mr11413160plk.67.1525067738300; Sun, 29 Apr 2018 22:55:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525067738; cv=none; d=google.com; s=arc-20160816; b=GUwWEXWBITn985m80ysgGLpjxG4adwYc0GCO9aPDhpZ72sWT8cHsdRWroRp/vioAUt RJZFfgUqr64pFj+UUs6zDWDkGFH376cRRJ22RjEjwNHa/z6NtVUJzzeCG6ZpaAMYdKbF SK7CnEVpVpR5W8g3kvP0jeS0AOQMb7gVyxSrg4AiUqNSBksvCNIqJDNphEH+W+OBP/k+ YQSrE0CrC5vjP06oMoqjtNP5lW3vYXC/rHbeHytP+CZo2gfyo50xsEN+wDmNTDFPTOzZ cYtWnLrgd0rOUnTqmp7NC3bz78nAucYKnkuPU7OzuY1CWmeNPAZ/kv9op/hneQUVLq4b a8Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=UVmNdCF0YhjFe6Qo3Q7sORk6C/Vf+aeE95xgQQieanUBxIX39+P2zbajvT29M00FDz zGFvvVDLGECPLyIraPh7C5H0hCRt+nWmXEUtEne7XBjsCuHZP3De5hpFZVAHa0CApOgV YtTawNRGGoDHCtTuifp90M53eYGz8rmzl3JnJNFqea2OI4kA+qkmLrfnlSzmqc49ejY4 F+xMvL6EGBD29qbkEe/cz/JpdTXDwSybCJxDpu+KQwTXw5pk7/NThT1aR7+V/23Iqyvq qZ6wcjApaHs++9RnzLnise+u2c61umD8IDIEx7PHGXuiUSTh9QKvbFsnzastIsiPv8K7 yi7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=cFn1OIr6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7-v6si6930545plb.285.2018.04.29.22.55.24; Sun, 29 Apr 2018 22:55:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=cFn1OIr6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751755AbeD3FyG (ORCPT + 99 others); Mon, 30 Apr 2018 01:54:06 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:45886 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751601AbeD3FyE (ORCPT ); Mon, 30 Apr 2018 01:54:04 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 20BED708 for ; Mon, 30 Apr 2018 05:54:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FOrgNhPqUdL for ; Mon, 30 Apr 2018 00:54:04 -0500 (CDT) Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id EFA8E6F2 for ; Mon, 30 Apr 2018 00:54:03 -0500 (CDT) Received: by mail-io0-f199.google.com with SMTP id q8-v6so8095801ioh.7 for ; Sun, 29 Apr 2018 22:54:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=cFn1OIr6ppU2Q1y3O9Q+2XG8wXCt6nGhFucAfh9+l9S/oQLaEcoUdOROnEeFzcLrZX 9azdMjiAkbOx5CGe3Bsa5fAiNC68lwQYId9f2RUHEO2SPuZFud1uhYF0mwwugrn/Zp2B DHlaABxKZFImqbo1UTRa9uf9+2NaPoZ8hro30FpQPEih0SrMbRwAJYwbEPLbBRvW0KD7 3y7pFNNhOMpJHI9tidQVh2/Jt5vydF4fDnE3sQZm1GD+twrHL3oJ1Bj8IdFXjmj0jZPJ CaKxjUYq5YlmgSLyaVN7TA1DviQwWT0zPQYd6YX9qbhdYtpyzNdky7BX1NyQbh40KqmN HOXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=TB/uVLmZjQlwu1+sajCbXtc6yyHyjKN147RxY9YrFsTdV3b4TUqsBNi1igcY++YBes n7lofn6FFfr69l1ZtpiCeGmGKg50tf5AWoljQdcLPsugy2x+Hwz4jIOBoa34hE09Qh2Z bICd4upGFq60IKySncysnltJ6Mc/0qLcoTqIZdWHGrnhQ5tjNUdUS7l/7Qi1ol2DMtKP L21zuu1J5Th4LXvXr+5pX3FmchC1KW2LyAWYPGplezeS+vxIxBMMlTQt/7a7JNqZoqaZ dcO5VQAVHBgOhhXglHeRED3Ph4/hEjteUpKPDd2YvO1hbb+iFCb2vVCA7kFrO0W79cVQ 06Aw== X-Gm-Message-State: ALQs6tAUE8iC5dF4pdxeCMOLuqjMWdzi6s4H5kVNJoB+sExSsA2M1KQE RiYBw8zojey2Qs0iYNKiMX9pCMeRRuC0qfsrqnfUAtRf/o79jsFnhE8twFqT9HIUkJXM8hYy3tB HU01+wpr68wHNJxw6EaTOslmkRg4Q X-Received: by 2002:a24:e103:: with SMTP id n3-v6mr10740014ith.68.1525067643343; Sun, 29 Apr 2018 22:54:03 -0700 (PDT) X-Received: by 2002:a24:e103:: with SMTP id n3-v6mr10740008ith.68.1525067643163; Sun, 29 Apr 2018 22:54:03 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e89-v6sm3195606itd.12.2018.04.29.22.54.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Apr 2018 22:54:02 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] i2c: core-smbus: fix a potential uninitialization bug Date: Mon, 30 Apr 2018 00:53:38 -0500 Message-Id: <1525067618-836-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, which are used to save a series of messages, as mentioned in the comment. According to the value of the variable "size", msgbuf0 is initialized to various values. In contrast, msgbuf1 is left uninitialized until the function i2c_transfer() is invoked. However, mgsbuf1 is not always initialized on all possible execution paths (implementation) of i2c_transfer(). Thus, it is possible that mgsbuf1 may still not be uninitialized even after the invocation of the function i2c_transfer(). In the following execution, the uninitialized msgbuf1 will be used, such as for security checks. Since uninitialized values can be random and arbitrary, this will cause undefined behaviors or even check bypass. For example, it is expected that if the value of "size" is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larger than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), the value read from msgbuf1 is assigned to data->block[0], which can potentially lead to invalid block write size, as demonstrated in the error message. This patch simply initializes the buffer msgbuf1 with 0 to avoid undefined behaviors or security issues. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index b5aec33..0fcca75 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -324,7 +324,7 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, * somewhat simpler. */ unsigned char msgbuf0[I2C_SMBUS_BLOCK_MAX+3]; - unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2]; + unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2] = {0}; int num = read_write == I2C_SMBUS_READ ? 2 : 1; int i; u8 partial_pec = 0; -- 2.7.4