Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4902240ybl; Mon, 13 Jan 2020 23:35:34 -0800 (PST) X-Google-Smtp-Source: APXvYqycxmpvPEFmhZVrlDjYgeQ5KccDvSkxurbA7lFBomvc6tzK5yCrGrzKp7ECfk4MYNBrDFNO X-Received: by 2002:a05:6830:2116:: with SMTP id i22mr16755449otc.0.1578987334609; Mon, 13 Jan 2020 23:35:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578987334; cv=none; d=google.com; s=arc-20160816; b=KOSvhxnlLsGRe40MaUQJJW2f87BV19oNYHE1S1vHnZIlxWeRxuJa5EerH5YnwKQtA6 zzC+jzzWTw11KSW74f9n3IVHBdvR8jmMpKwxVTCXWZQZbSV+cVOUqyli2qByTRSeGhxO 5UjE/TNK+NpuKB649ew7eO6DkfHp3DrtdSwaoVYWuJ0LxuLlTCb3tTN15t5rSwXq+dvG j8XBy6pZMUi8Ws3v50uCEnCfheqLAiZSQWlUZglGQZTtUVW5sBDjRTocGQNKZDsbvBKX hFW3czicD8lK5ylxeCKlUZCcI1FmgT6AKfJQl4r7Z9yhfuMppe053sYPQqJpnNSGKNgb qSQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:message-id:subject:cc:to:from:date :dkim-signature; bh=UaGSgT1rbPoNIUsnFhw2dKGfxppFu6+AxAWorBNHUyQ=; b=SBxioqTkcPfi6B6ZpGXI4vVMULZt56GVA855TtG4mmWc0VLsUycqeL52PCRzh2zSr6 zmd1Qg79gRHADtMoMlPGRY4F8o1rem77Q1UcmDvZ/lQ5pFCk40I1UOiG8Sjq6Bt5GJ2d /QaYhAsxWJOxBHlScptsmJSDxUtdd0RPwG2XNjl5vc5Czskp6F65b8jp2IFt5Vs7aIC4 oT/VFicpOr1ZvBqfNUofAV/Vs0q9AijkXQaYZQ+mx5AFr9hQ4PfPo+PDkL2RmJl52Um2 ZWEg45ydLV0+BvrMEP49jNbKlNrOzjcuXifmO8ZJQiHZQaPheBPlB1FeFmXyo9eO1EpU 9FSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2019-08-05 header.b=UqX2RrbY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v5si7107273oix.197.2020.01.13.23.35.20; Mon, 13 Jan 2020 23:35:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2019-08-05 header.b=UqX2RrbY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729040AbgANHeX (ORCPT + 99 others); Tue, 14 Jan 2020 02:34:23 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:35940 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728801AbgANHeX (ORCPT ); Tue, 14 Jan 2020 02:34:23 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00E7TEk6172803; Tue, 14 Jan 2020 07:34:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type : in-reply-to; s=corp-2019-08-05; bh=UaGSgT1rbPoNIUsnFhw2dKGfxppFu6+AxAWorBNHUyQ=; b=UqX2RrbYPdbrG/nSi5qkg+qJTqYER8ULcgZLNlOWEWuPxvBtbUOu52kYpqZEZjan4ag6 SPR1MVg6xKQQaWhlkpsaG3VJBJLexAthvvnAeg6AmmrhBmFxFCA3xG7odkRO3jXtn0Mh khq0j1BdIsRyN9vHsj//w32DiPRuZpYugEwSydTbtgku8HIGV2grRcS/ohZ4wJBQxwl7 HYpiRQKJcT7bc3/bsoXkb7kjq5o9/AwzF/0K3C0u1D0Iu24bi7QGrbRbcpQRa8/2m/ZT mQ2dHv+oXSUrPP/CPVjqdin78wieHkKQp/UfbfII84oqI9xwTN5VwCz8WrmkTrvHzXB6 dQ== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by aserp2120.oracle.com with ESMTP id 2xf73tm0d9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 14 Jan 2020 07:34:17 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00E7TLZB188445; Tue, 14 Jan 2020 07:34:16 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3030.oracle.com with ESMTP id 2xh2sc29cu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 14 Jan 2020 07:34:16 +0000 Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 00E7YEx9010906; Tue, 14 Jan 2020 07:34:14 GMT Received: from kili.mountain (/129.205.23.165) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 13 Jan 2020 23:34:13 -0800 Date: Tue, 14 Jan 2020 10:34:06 +0300 From: Dan Carpenter To: Jean Delvare , Daniel Kurtz Cc: linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot Subject: [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done() Message-ID: <20200114073406.qaq3hbrhtx76fkes@kili.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0000000000009586b2059c13c7e1@google.com> X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170113 (1.7.2) X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9499 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=100 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=100 mlxscore=100 mlxlogscore=-1000 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001140065 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9499 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=100 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=100 clxscore=1011 lowpriorityscore=0 mlxscore=100 impostorscore=0 mlxlogscore=-1000 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001140065 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Assigning "priv->data[-1] = priv->len;" obviously doesn't make sense. What it does is it ends up corrupting the last byte of priv->len so priv->len becomes a very high number. Reported-by: syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com Fixes: d3ff6ce40031 ("i2c-i801: Enable IRQ for byte_by_byte transactions") Signed-off-by: Dan Carpenter --- Untested. drivers/i2c/busses/i2c-i801.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c index f5e69fe56532..420d8025901e 100644 --- a/drivers/i2c/busses/i2c-i801.c +++ b/drivers/i2c/busses/i2c-i801.c @@ -584,7 +584,6 @@ static void i801_isr_byte_done(struct i801_priv *priv) "SMBus block read size is %d\n", priv->len); } - priv->data[-1] = priv->len; } /* Read next byte */ -- 2.11.0