Received: by 10.192.165.148 with SMTP id m20csp1009001imm; Thu, 10 May 2018 04:18:30 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrFkiPC5BLbmh5l67mIMW+Lb1Js/d1gPIxtWeJ5WwygOEmCOdjaTtdd5IlXo6QruOmYCbi4 X-Received: by 2002:a17:902:bd0a:: with SMTP id p10-v6mr1000443pls.69.1525951110111; Thu, 10 May 2018 04:18:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525951110; cv=none; d=google.com; s=arc-20160816; b=N63+3FiRwih8xfGSPflcWEgWlAvJNJfDyZFxfLDRDN9Rerfc25eHolBGjid8dQ5Htf +IfUktKTk2nLSp/3Kio2GNPruiA4q7prtUwfCE5TD0aFXvGCJ2+kDnVGUgBmmF8LdDob LnVG5z5CC3YfS3Jij/izs0xzVN3b8rNEF++lJZkgPLYdOiUOaKgV7MnltxrhXsZETDbA 7vMsVio+IhznzDevS7044kp8inhBVuy7L6g9M1d+fY7N9+N3Zd5KzR6dCYGzSOtaLkWY mMhWnEIWbCFaGsFwIHSmFtx113QfmrJ33moIP6661HjK+OrtT2OyWovJC3SVnse4J3Wv XcFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=TA8RCP6Mzj23C2ulEk245Xd6JgHEbCI9fLt+fhxqetQ=; b=KsKtvhvS0oh1ufbHti32iXJpwbYzb1vV7RrPgdHOzlww0L/147dsOpluwGQAvJSQW3 d+IpOo03UrY7KkzU/wbKjwYZlu4YsnqjGxRIMb+z7DuDiFmyccagNfu0Atr2aSggqBHZ 25a9H1ylKRvYShoERWMW9DGLH+EfMK5npybI4ZOQygVAbjdQlcfmY3bhlrp5Yh8WAxFJ VK7jFrWZzKb3wCmGuR6i11ZL9YTMcp57A0Pk9dEIM7TdZKQqEgQ8qGI0TJvk49exEou1 8pgDCbYsOxFlfqXakV+AG8z4I211sU4dAKkfV5Z9Q9NzAdLEg0kAKCChy14Y38vdiX8N xZkA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 32-v6si605139pld.65.2018.05.10.04.18.16; Thu, 10 May 2018 04:18:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756984AbeEJLRk (ORCPT + 99 others); Thu, 10 May 2018 07:17:40 -0400 Received: from sauhun.de ([88.99.104.3]:45550 "EHLO pokefinder.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756793AbeEJLRi (ORCPT ); Thu, 10 May 2018 07:17:38 -0400 Received: from localhost (p54B33405.dip0.t-ipconnect.de [84.179.52.5]) by pokefinder.org (Postfix) with ESMTPSA id 61AD134BC84; Thu, 10 May 2018 13:17:37 +0200 (CEST) Date: Thu, 10 May 2018 13:17:37 +0200 From: Wolfram Sang To: Wenwen Wang Cc: Kangjie Lu , "open list:I2C SUBSYSTEM" , open list Subject: Re: [PATCH v2 1/2] i2c: core-smbus: fix a potential uninitialization bug Message-ID: <20180510111737.b6g7s2nnf6froote@ninjato> References: <1525525030-9805-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="yzvxnptvnc5yk3wm" Content-Disposition: inline In-Reply-To: <1525525030-9805-1-git-send-email-wang6495@umn.edu> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --yzvxnptvnc5yk3wm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 05, 2018 at 07:57:10AM -0500, Wenwen Wang wrote: > In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, > which are used to save a series of messages, as mentioned in the comment. > According to the value of the variable 'size', msgbuf0 is initialized to > various values. In contrast, msgbuf1 is left uninitialized until the > function i2c_transfer() is invoked. However, msgbuf1 is not always > initialized on all possible execution paths (implementation) of > i2c_transfer(). Thus, it is possible that msgbuf1 may still be > uninitialized even after the invocation of the function i2c_transfer(), > especially when the return value of ic2_transfer() is not checked properl= y. > In the following execution, the uninitialized msgbuf1 will be used, such = as > for security checks. Since uninitialized values can be random and > arbitrary, this will cause undefined behaviors or even check bypass. For > example, it is expected that if the value of 'size' is > I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larg= er > than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), t= he > value read from msgbuf1 is assigned to data->block[0], which can > potentially lead to invalid block write size, as demonstrated in the error > message. >=20 > This patch initializes the first byte of msgbuf1 with 0 to avoid such > undefined behaviors or security issues. >=20 > Signed-off-by: Wenwen Wang =46rom what I can tell, this patch is not needed anymore after patch 2 is applied. Correct? --yzvxnptvnc5yk3wm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAlr0KlAACgkQFA3kzBSg KbZi7A/7BtcGxjOghY8/YIpx4tbsHcMmcxrlQrYA5fKekZ0dIzIooOK5XUJs7D6w cyCNgkKJx2tLndhu9Qz0sbovsL97b2DNiCmRsZYTtKeM0w2j3g3vriDEWfrkh/Oq m1wr0C9umH5NuJzy6s6Xm0uPA2q3YFx7MYSyWo17w+VCFLtbLVOUt8VMAh8xY6HU r4FTAnJiWsnjGnelq36kiCL5pYnQ//5ZNwlgYj2JMBk5eMxflm4eP4KcC9hzdQB0 t/7Ot2C0GiV4y3LiM58O1oW7uCJIY6VRO8M3/ErOTSPT/qBGILyyB8uz+JKGqrco i5qWYP8Rwbq4yUxH4TTrWBHO7Hif2FiIkA22Ly0wP9yOrfG21gIDs9ib+WyZvlIs J0Tv+LCGVKAFA6x/TFmyTfInPNdRZGfyYO4IepCdB3BVGHDeSdsy2uQDzeZX/fnt wcQHRTahNwRB65EYA25YyAoH/017gamNymolDAOY8JQzJ46n/VVyJ/lBjYgYiCJA S/DstHEl5UooSwHuhoNGzjJ/qByGxDQ4+/6rwbIVs9JJAR7tr6+3xbPjMwFSDYpN umurXqOpedn1nOKYPb1jLy6I2JASfWfK/0toEh9/ZWC54OwKecdUflF74P/9E2xK ODne7+x31r85+TGOsZfTofPxbqkmSRvYppxYPdrmQvLLhnbfObU= =x1N9 -----END PGP SIGNATURE----- --yzvxnptvnc5yk3wm--