Received: by 10.192.165.148 with SMTP id m20csp1152204imm; Sat, 5 May 2018 05:58:00 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqgANqYvTyiKub7apT+pq2qClny/QXMmykSYv3NzdsSBXYVzsgvxjIavY/lljHug+035tRQ X-Received: by 2002:a63:41c1:: with SMTP id o184-v6mr25111062pga.393.1525525080526; Sat, 05 May 2018 05:58:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525525080; cv=none; d=google.com; s=arc-20160816; b=w45buWivrkYdGfiwwZEwWJazP/4VBWAcVlbdnd+AmansLqoZR93CYa2ssK4lpCbQX5 uBvyzVXe2xiLj6MuUeReuMF66jcjzgAxtWE5C2jTPf8fqPPh3+208gd0Jc+rOpeqW/Fu KZlmQVysOqaTPWGl5ZX7NOsa+Y//EhRQ9k871+aIQwqrMEaMvE1lAaIkdTfdoCgfr/l/ 4E1udnY+Xr83qxaWinXynpSHbGn3iz8qnkqLxK26K3eO+7lw2HDPQS3Uymi9qqOpd07k HCx4Ql261bIdUidN1Agw9xs+OQtzE3XWhvg8Ky7yHy6gkKAIc/dLDhuQcPFpl/IYlGj2 25UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=h9TPqYBUMqYK6D817ddzSAkWJxaRC6xG7Fglj7IzYYg=; b=g3XcYxwbiCPoh4eNbR1namgiQy0B4yBBWhiiFIi+KW63oR8UTgqWv82xlMWl8E6o+k G1VnijPcanI40y8S/Yu5kA/2ReTfvH406xINiUXmhN08HIQ73zJYwKWxrdPfb//Oiji+ tZi7SufODjrZURdIA3oq/yh0Riwe01/KHuGcxONY8by1nFwGVik4aer/1HDOFG7utjVf TVMG3hrrIIaFRw5tJnL3YrN/DvbHc/ztB8nXVunIk76nLktTnr6wixWc1UcIZjqEt+Mi TVx3UcL8px3h0VwTD0YLC2jWQSQP0oI2NVf1j2CswJg930VYDtXE/XUZSCC+TqNBEnPR nQig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=ijADh7zf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n8-v6si8804422plp.468.2018.05.05.05.57.45; Sat, 05 May 2018 05:58:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=ijADh7zf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751794AbeEEM5a (ORCPT + 99 others); Sat, 5 May 2018 08:57:30 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:36310 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751767AbeEEM50 (ORCPT ); Sat, 5 May 2018 08:57:26 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 586ACA8D for ; Sat, 5 May 2018 12:57:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4TcEWN4En6z5 for ; Sat, 5 May 2018 07:57:25 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 361ACA87 for ; Sat, 5 May 2018 07:57:25 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id f77-v6so22946401ioi.0 for ; Sat, 05 May 2018 05:57:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=h9TPqYBUMqYK6D817ddzSAkWJxaRC6xG7Fglj7IzYYg=; b=ijADh7zfZGzM8KfqI8KmrtgP26w999AiO+bzJYjDMRVjfRQKMMOraqxnO4rh6gyb1l yABOvzSZAF0a7fEtkuLfP6bTP++dzsnTveMKJhuJJT6/5WbwsXpoc1vyYN8paQGMHS2p zjBcv9VnOnTTEU08glJnLVvGWbinNYtOmAquw0WpDktbRjk21KFaYtIgyFBZPQCS5fwg 3CDQIWD02HbrDYpEOT8vX7AITzs5yTI09CKNzhzvYWrm47AJw8a9rG+4ktufHaFFVFDx jMFVS7Gelpo0f3ExN1kz4yUjQq8HJOi54h/8cWfZhICkTGqXdr3NMcA+lupM8h+E8OrV uEDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=h9TPqYBUMqYK6D817ddzSAkWJxaRC6xG7Fglj7IzYYg=; b=Zmmq8DV+Qcen2cerTfw2syLyq4y/49yisXek4UlLayYdBma72K7BovrrkS03s1bf7A aAl66g1cax5z7olghsM1OjSEjc8eUnSg2ZQhXiacEPKYgBJZ/xNI+TjGQAm06AkrGzAb hzWog6qGF1nHnv+BPOnPJnASMs5NR8KogsGO4g/XQTv8hRL8wDAYoduDe/Uycd3iF5+4 D32Q2xbI5VZ3DYNVZdBtF8OExuWcp6j9h5LwdIhqCISg9gd4Qsn37KTX1ctxtb9TaR6h vrqLcUTe95x/wbj64kXbAZ74208m0bLIk3iPMHF1tqqvXvXdimNdUI5BI4Zug90ah31C SO9g== X-Gm-Message-State: ALQs6tDTVzR7t9sgqs9sttRArPCkUz9i5dfFbD7YHIL1Pv5GVHHgAPMU 4ML93KdVVJeDak85xOz0t5LgkQ7IJVGH+JthZHDHp3Ui1CviZddvS1VgjJF1s6MfbsZfVbiEy2b 37PiTF18f3zAKOyWBawam3k34tJUH X-Received: by 2002:a6b:a008:: with SMTP id j8-v6mr27851222ioe.72.1525525044779; Sat, 05 May 2018 05:57:24 -0700 (PDT) X-Received: by 2002:a6b:a008:: with SMTP id j8-v6mr27851209ioe.72.1525525044536; Sat, 05 May 2018 05:57:24 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e12-v6sm4850754iog.66.2018.05.05.05.57.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 05:57:23 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 1/2] i2c: core-smbus: fix a potential uninitialization bug Date: Sat, 5 May 2018 07:57:10 -0500 Message-Id: <1525525030-9805-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, which are used to save a series of messages, as mentioned in the comment. According to the value of the variable 'size', msgbuf0 is initialized to various values. In contrast, msgbuf1 is left uninitialized until the function i2c_transfer() is invoked. However, msgbuf1 is not always initialized on all possible execution paths (implementation) of i2c_transfer(). Thus, it is possible that msgbuf1 may still be uninitialized even after the invocation of the function i2c_transfer(), especially when the return value of ic2_transfer() is not checked properly. In the following execution, the uninitialized msgbuf1 will be used, such as for security checks. Since uninitialized values can be random and arbitrary, this will cause undefined behaviors or even check bypass. For example, it is expected that if the value of 'size' is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larger than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), the value read from msgbuf1 is assigned to data->block[0], which can potentially lead to invalid block write size, as demonstrated in the error message. This patch initializes the first byte of msgbuf1 with 0 to avoid such undefined behaviors or security issues. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index b5aec33..7d7700f 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -344,6 +344,7 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, }; msgbuf0[0] = command; + msgbuf1[0] = 0; switch (size) { case I2C_SMBUS_QUICK: msg[0].len = 0; -- 2.7.4