Received: by 10.192.165.148 with SMTP id m20csp698827imm; Fri, 4 May 2018 18:46:01 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqLGp7XzJXpvmpGv4ubJ4+obV5cQzay6IxlJxHBhQSkVleA0i5X0I7Ed+eyKffIz8cCcrer X-Received: by 2002:a17:902:294a:: with SMTP id g68-v6mr30172070plb.110.1525484760999; Fri, 04 May 2018 18:46:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525484760; cv=none; d=google.com; s=arc-20160816; b=Jn+h1wVaFec6Qe66jh1T0QvA/gUpOKhppXVaMa9oIuqYczWbuxVp/EV4cmY+bMNBJu cXMFjOWNk9cdE8WgG2F2JuM4fDP+oov5Uog/yWqRd0VgyGur9rhv+jTgADzy1z1Aq3kp mQ06FowSWpEbrtgn+QvWU0s4iMl2zhBTUP9xb0DTx1UYDnDnND3zHrId1w7SJgC3CbYb BQiuUbfykv1MODkhb7FAJKiUc+XGmMAt2GRJ676N0fwDLjih2tDOUXUCfYKWnYLWCeC2 u5Wvz4pLc4Vc4V/iFLET/75DgIJUgCYq76YmBvX/KFlTsH2kAJQjzvNhTYCG4rqB+rZN K7/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=FogNxBMc+7HytCYm02LB0UhYBSfXAf6dzOrX8nCoD+o=; b=DP5WSqrz0eE6DiQ/+jWxtS7+8T3/fM2ywXp4jBF1MbyWbE4VB6ZvTi2D+SJ/uqsWea MWDDggDYAuCS5+XVwEgtTdR7Mw5CQ49B8/so7/bYAf/NELY9fRhgccZjLV50KA9SYBPw hVJZ7EbAKlGrXqyG4z6KiTyhUHZ7MnlzB7YO2pFCV1ObeiPFqy+nnZ06ENByokAr3VKI GVwDawpTvl/QNRmXjmY8MawVv/dTIPSZQxu7bKf4bLJ63gmE9LBHy+MwzwzrjO5MkwMM o7C/vj4J9mf5VOvLicEGt990s0wTcOZ7EuSkLaPUL4/34mWnSy5aTb4iIh6k7GqOuBTc +zoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=VoVHa3tE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s27-v6si14339781pgo.12.2018.05.04.18.45.46; Fri, 04 May 2018 18:46:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=VoVHa3tE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751985AbeEEBn3 (ORCPT + 99 others); Fri, 4 May 2018 21:43:29 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:44406 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751775AbeEEBn1 (ORCPT ); Fri, 4 May 2018 21:43:27 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id BF622B60 for ; Sat, 5 May 2018 01:43:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4fi4xjFR9kYj for ; Fri, 4 May 2018 20:43:26 -0500 (CDT) Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 951B8A67 for ; Fri, 4 May 2018 20:43:26 -0500 (CDT) Received: by mail-it0-f69.google.com with SMTP id r76-v6so3891774itc.0 for ; Fri, 04 May 2018 18:43:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=FogNxBMc+7HytCYm02LB0UhYBSfXAf6dzOrX8nCoD+o=; b=VoVHa3tEJHVB3OowPnL06oPvy4V35Mx/qxi3X0uepHdPZO3oM/VGuLkV2Wzi4OxyB+ PF6cHBU9uOkYfbGX+qIV9foT57vdYNYBrZQx5E0liPB+KTx65nv78ZGvFBZV86oP6GCm ykEPum3CnyoKZGLdcRvRkbKyV7VtucFtoZUibFVsRurym0aPjQ5W2UvS83usg/GYB9fD Z9A+dSvqpKYSnfl3rREUOUiQ7qnFkVO6+AoIgBBEl47/V9hPvP+BzbliJrQ7aNDnQ43L ADEF+L2gNmFezOVMuHppTMCTk4liInmEhlA7N+VV1dvqmubue9kG8sJVgGX7Xt1nYMyY Oi9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=FogNxBMc+7HytCYm02LB0UhYBSfXAf6dzOrX8nCoD+o=; b=KVfon8ndH0VX40jZKR8+fGwi9afctUcKHRkwNQWeCfSTAiQUP6j/g9jYW8CfcL97OH ZYC0hFgTBt9C4EJMEOP6ORSAXEtUcqsoGoqp7a1pVnCNJ53Zn7KOxXB2lRViKHnFxv3p YFzt19MSPvq8Ylp7UiO1+drq/OL2LEZRmcdnEWB1EiyRd6JZcBE7Pf+qmD4kklrztgGf uy7khdxOX4nTyRJAdusgPbFfWW1lw20JTROIAEVveEgGOjVwDrUV35k8cWVsrxcDaNt7 k8L9C+YcAT8ZhdYtDxulZGo9CwnQ/CRCWOJeu3jp25pyPleRXeFu6PNHBwF6d02p01HU tVtQ== X-Gm-Message-State: ALQs6tAlBWQsQ1XLK4G6rspkIJjvwZPl+3fJAHjmc5aWsfX6SKmRYjN0 0OZ+2uvLTZJpGW2+tKl3WrJdPryxfs1SjA4pchI+EEgn8tmsMpIyN2aLwFVgFuN6/agFkJuoiId gJ5nuWeOo/pEDXPMiF7QpOmbpkcss X-Received: by 2002:a6b:1801:: with SMTP id 1-v6mr31616476ioy.129.1525484606160; Fri, 04 May 2018 18:43:26 -0700 (PDT) X-Received: by 2002:a6b:1801:: with SMTP id 1-v6mr31616467ioy.129.1525484605973; Fri, 04 May 2018 18:43:25 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id 22-v6sm1671454itj.16.2018.05.04.18.43.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 May 2018 18:43:25 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] i2c: core-smbus: fix a potential uninitialization bug Date: Fri, 4 May 2018 20:43:16 -0500 Message-Id: <1525484596-5585-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, which are used to save a series of messages, as mentioned in the comment. According to the value of the variable "size", msgbuf0 is initialized to various values. In contrast, msgbuf1 is left uninitialized until the function i2c_transfer() is invoked. However, mgsbuf1 is not always initialized on all possible execution paths (implementation) of i2c_transfer(). Thus, it is possible that mgsbuf1 may still be uninitialized even after the invocation of the function i2c_transfer(), especially when the return value of ic2_transfer() is not checked properly. In the following execution, the uninitialized msgbuf1 will be used, such as for security checks. Since uninitialized values can be random and arbitrary, this will cause undefined behaviors or even check bypass. For example, it is expected that if the value of "size" is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larger than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), the value read from msgbuf1 is assigned to data->block[0], which can potentially lead to invalid block write size, as demonstrated in the error message. This patch checks the return value of i2c_transfer() and also initializes the first byte of msgbuf1 with 0 to avoid undefined behaviors or security issues. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index b5aec33..e8470d5 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -344,6 +344,7 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, }; msgbuf0[0] = command; + msgbug1[0] = 0; switch (size) { case I2C_SMBUS_QUICK: msg[0].len = 0; @@ -466,6 +467,8 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, status = i2c_transfer(adapter, msg, num); if (status < 0) return status; + if (status != num) + return -EIO; /* Check PEC if last message is a read */ if (i && (msg[num-1].flags & I2C_M_RD)) { -- 2.7.4