Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp834670yba; Wed, 24 Apr 2019 10:20:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqxYEnil1QE9sRT+wAMo0xJ12Wnat5rT/ZCk+PlruHBpfST0/8kgZfGEW/sn4O+1o9defQWK X-Received: by 2002:a63:1852:: with SMTP id 18mr27942146pgy.283.1556126454701; Wed, 24 Apr 2019 10:20:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556126454; cv=none; d=google.com; s=arc-20160816; b=o0J9XvtEu8TSZVqHELxo524q6Hl6OThejUmVZZACxCe7SP9CaF6KiDIV3ed+VFxxRw VnFemUqVukC+BE1jm1IPZCXaWOMmJYqFmyivkuAtXdsoblAZXfUNnOABaOoRloVMYKam ni7zq19u/qvrh4EDlVbyHyBzq6RlZp78V/6eyiQmHGecfmA5jg9cQGW5BlOOxAB0tpQk g/XwmpxlSLru3YtV1NkGy25TO6tU84fUeOcDg5ehAy1RSdF3722ClrmQTnwnO8TED9Cr R1gAyrXoDR7msOsnz75FrYJLD1Dxa1sfvoMJCQZRYXqyySYMbGusyGsy4Bx3z3GmFSqy wjIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/BzWFHKpKm/+dK/m4cxkay6ijsTtjZQZoZZ0stKKIa8=; b=nsJmqHMXWVdpWG9kpo0MWQP9hB0WHHHpnbKxlIl8EKQI8HCJA9NjVTjCVRLzbl5jVM v48K3jtA1lhQKpyh4X0jyrH72ac4b6Bk10UYfaK2IjvZoHc7qeJeI5hbkp0ruXQcnm+K Oe3OaBnNzyHmQmpGBD5jyeBKbpuaDQNgEGEZYzkCs0/+fWW5C/XWesNZg2L10GvZ2Fpa tERKsuRL9hZNreBxkhlByqfII1hXrkCERnIE3JpjzWzl+9pAc9kJOAwadUuqfDLVjqy+ x70/GBaRJOhVhMbW+0h3LuZpyxtm9SNnHF+4Q2vVdcPyRjt44rN22k3ZphtDgnGsTaAl cqOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UcTIgNc2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cc18si20526605plb.363.2019.04.24.10.20.39; Wed, 24 Apr 2019 10:20:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UcTIgNc2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388710AbfDXRRq (ORCPT + 99 others); Wed, 24 Apr 2019 13:17:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:42722 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388696AbfDXRRp (ORCPT ); Wed, 24 Apr 2019 13:17:45 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EFBFE21905; Wed, 24 Apr 2019 17:17:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556126264; bh=VT6gbKv8rCKjarKYMDK/z/TYTGzFRpzB7ifnCSQzxh8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UcTIgNc24XHB+X72v63UUmJAww10Z1QolKYjBo5Z4CaYgN4ZhEoszrs6P+lrBDHX0 cCNkxqW8f8HeZoadbZgF/PpnywVwmos14JSmttPmFD2C5OIneXO6QNTusuhTKqq/XB zZqtSmho1vPawIUKAes5Mu+Bn6MiPOEaQPZ4MxVI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jeremy Compostella , Wolfram Sang , stable@kernel.org, Connor OBrien Subject: [PATCH 4.4 007/168] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Date: Wed, 24 Apr 2019 19:07:31 +0200 Message-Id: <20190424170923.898594389@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170923.452349382@linuxfoundation.org> References: <20190424170923.452349382@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jeremy Compostella commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream. On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes data out of the msgbuf1 array boundary. It is possible from a user application to run into that issue by calling the I2C_SMBUS ioctl with data.block[0] greater than I2C_SMBUS_BLOCK_MAX + 1. This patch makes the code compliant with Documentation/i2c/dev-interface by raising an error when the requested size is larger than 32 bytes. Call Trace: [] dump_stack+0x67/0x92 [] panic+0xc5/0x1eb [] ? vprintk_default+0x1f/0x30 [] ? i2cdev_ioctl_smbus+0x303/0x320 [] __stack_chk_fail+0x1b/0x20 [] i2cdev_ioctl_smbus+0x303/0x320 [] i2cdev_ioctl+0x4d/0x1e0 [] do_vfs_ioctl+0x2ba/0x490 [] ? security_file_ioctl+0x43/0x60 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x12/0x6a Signed-off-by: Jeremy Compostella Signed-off-by: Wolfram Sang Cc: stable@kernel.org [connoro@google.com: 4.9 backport: adjust filename] Signed-off-by: Connor O'Brien Signed-off-by: Greg Kroah-Hartman --- drivers/i2c/i2c-core.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/drivers/i2c/i2c-core.c +++ b/drivers/i2c/i2c-core.c @@ -2936,16 +2936,16 @@ static s32 i2c_smbus_xfer_emulated(struc the underlying bus driver */ break; case I2C_SMBUS_I2C_BLOCK_DATA: + if (data->block[0] > I2C_SMBUS_BLOCK_MAX) { + dev_err(&adapter->dev, "Invalid block %s size %d\n", + read_write == I2C_SMBUS_READ ? "read" : "write", + data->block[0]); + return -EINVAL; + } if (read_write == I2C_SMBUS_READ) { msg[1].len = data->block[0]; } else { msg[0].len = data->block[0] + 1; - if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) { - dev_err(&adapter->dev, - "Invalid block write size %d\n", - data->block[0]); - return -EINVAL; - } for (i = 1; i <= data->block[0]; i++) msgbuf0[i] = data->block[i]; }