Received: by 10.192.165.148 with SMTP id m20csp1168843imm; Wed, 2 May 2018 15:38:09 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrPph9HN9x9yXjv2SHquN3a9u8IA5YAqIr1hjTwWxUfqs3QZSOZK3CaiOZsWu4D9oVVGJVj X-Received: by 2002:a65:5308:: with SMTP id m8-v6mr17311672pgq.28.1525300689939; Wed, 02 May 2018 15:38:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525300689; cv=none; d=google.com; s=arc-20160816; b=iy2SkOl9E5VleIlikjl0yHnzrnB1ruYZtAqWYAvYdnUZb1bssC12IGEMN2ZpzF1KUU hB6lUxceIlh9gMGB9tWjkz09AnAprmz5jDSAmXIErh27d86vpOHEjCWGnvP5sg6dNIGA wPhwC0TGGIWKB2ECnJ/7j8vPxL6GB42bE+Vezyov5hO0xD3D2H6VUgirQjLxb8dNYwSz EQDFqyw3gupgtbH45wZToMjckr8sfnjl6KUY2b28QTJVl6QqxI6tG48x6hNjeD1JVfca f0JgLP1bRmTwzbSIAyRjlaT9f15q/3Iec6jsOmnSLnPZWrjE+sW7D6ONCIgx5KDDcNHx Rzfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=whz2JVGW5PChG0RBSwwxZeLqs5NqC+Zm3dQNsNn7x+lx/hWCSrtlKotihans1MqnVc ZIy5O4y14mR4vfIdmdAfZjjfoYNzRkSnBE730hERYb3vMlqFLmPBGY59q7azt7rBvcdQ WXxO/DTBCwysxOFGJJh5F6rJH0Y3IMgSsHb/VRorUeEeIeYj4sFLbK9I8VVEL+cy/617 vSgqAxHf7wmLA1Ecjjh9pK3J4RyHSCpaB6Yl6UBviBh9WaqK4JRW/jSRIK7w5/t9S59m zm+ti7Ex8DUeKohZCqpUT9zz1JIC0cvVrtF41S4ytRmDWSxr1oo6fwYE4j7PXQWi9GHS w41g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=BmwpxQri; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w6-v6si12575799plq.382.2018.05.02.15.37.55; Wed, 02 May 2018 15:38:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=BmwpxQri; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751792AbeEBWgf (ORCPT + 99 others); Wed, 2 May 2018 18:36:35 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:53754 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751673AbeEBWgc (ORCPT ); Wed, 2 May 2018 18:36:32 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 17522574 for ; Wed, 2 May 2018 22:36:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6diBNJ3sxMuA for ; Wed, 2 May 2018 17:36:31 -0500 (CDT) Received: from mail-it0-f70.google.com (mail-it0-f70.google.com [209.85.214.70]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id DC5D35B1 for ; Wed, 2 May 2018 17:36:31 -0500 (CDT) Received: by mail-it0-f70.google.com with SMTP id r76-v6so10309805itc.0 for ; Wed, 02 May 2018 15:36:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=BmwpxQrijHuxqBNUK5bZFO8CioehL8ULQf7Vjkj+QRMtwZ9L//Br4cedb0f0ZckIBo gJHlcg4rfU69c+SK9paP/pQzUPEtxCcsbz2Xm49Tw3SKD/BxEfVATfkgpNC2YHn7RDoa zki4VwCMNB1GuXcxMInQGz6oDJ+J5NWqK6kTcY3G0WT7tEQCUybW23R5O+si5UP0c/+6 jHnGHomCgNM3dBdE6t4Ec66bkjEF1GBH8ubnivSHlDo5iWyL+uezgBlodhaOFKjPvf1J VQt2D7YStn3kwpNE2nb0OgAMdoTLn+nOQVassUK2xQmt2UoBXyCv24F0juS1bICRSZTI UwsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=e0DsQM3K+JcTN/QIc2DK6f2XVWIHXmwZNILSxYYArwBD0GkdW8Z5V42OwaJGT9f1Ng YkaaowKKt2UrWvg8yc4gUj8tmcIu2sQwbHQMBv/1pJR05jZ45QGLVoSdPpwcA/JdaJHK e/FdWgLxfVuJ8+pIu38KNUcnrbO4w+NSxWMQuDo+hEhAoXH3vva7LVWsYkaWvgybRyRs QKW49VzLh1i42aMioOYzpzcf1q1MyzElf/BXSFfLzDSLBUSPWgkUkDV0a6qBqmAg5+CF j5szhxFu31k0wY6GGvkK6lbVYVB3wMD3Cr097X+5awsbMZdKjLBL3GOlDiwCGoLKp5cJ KSnQ== X-Gm-Message-State: ALQs6tBnaUlUP7PFRmmobtpjQK/8b2WA9zR1LNFnG7QiQRISdaXC4nL2 P+tJaNGwCZIZmUxgbksMnKGL22izywuoQMztmzPpNNCE2/3Con9PdzA3koVlVY457PlK9bOeILE otJHshkzKpEaJg6HT+vZISQOZwE2y X-Received: by 2002:a24:72c5:: with SMTP id x188-v6mr23367125itc.118.1525300591566; Wed, 02 May 2018 15:36:31 -0700 (PDT) X-Received: by 2002:a24:72c5:: with SMTP id x188-v6mr23367115itc.118.1525300591375; Wed, 02 May 2018 15:36:31 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id m89-v6sm6765260iod.1.2018.05.02.15.36.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 May 2018 15:36:30 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] i2c: core-smbus: fix a potential uninitialization bug Date: Wed, 2 May 2018 17:36:21 -0500 Message-Id: <1525300581-27217-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, which are used to save a series of messages, as mentioned in the comment. According to the value of the variable "size", msgbuf0 is initialized to various values. In contrast, msgbuf1 is left uninitialized until the function i2c_transfer() is invoked. However, mgsbuf1 is not always initialized on all possible execution paths (implementation) of i2c_transfer(). Thus, it is possible that mgsbuf1 may still not be uninitialized even after the invocation of the function i2c_transfer(). In the following execution, the uninitialized msgbuf1 will be used, such as for security checks. Since uninitialized values can be random and arbitrary, this will cause undefined behaviors or even check bypass. For example, it is expected that if the value of "size" is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larger than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), the value read from msgbuf1 is assigned to data->block[0], which can potentially lead to invalid block write size, as demonstrated in the error message. This patch simply initializes the buffer msgbuf1 with 0 to avoid undefined behaviors or security issues. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index b5aec33..0fcca75 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -324,7 +324,7 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, * somewhat simpler. */ unsigned char msgbuf0[I2C_SMBUS_BLOCK_MAX+3]; - unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2]; + unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2] = {0}; int num = read_write == I2C_SMBUS_READ ? 2 : 1; int i; u8 partial_pec = 0; -- 2.7.4