Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4902240ybl;
        Mon, 13 Jan 2020 23:35:34 -0800 (PST)
X-Google-Smtp-Source: APXvYqycxmpvPEFmhZVrlDjYgeQ5KccDvSkxurbA7lFBomvc6tzK5yCrGrzKp7ECfk4MYNBrDFNO
X-Received: by 2002:a05:6830:2116:: with SMTP id i22mr16755449otc.0.1578987334609;
        Mon, 13 Jan 2020 23:35:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578987334; cv=none;
        d=google.com; s=arc-20160816;
        b=KOSvhxnlLsGRe40MaUQJJW2f87BV19oNYHE1S1vHnZIlxWeRxuJa5EerH5YnwKQtA6
         zzC+jzzWTw11KSW74f9n3IVHBdvR8jmMpKwxVTCXWZQZbSV+cVOUqyli2qByTRSeGhxO
         5UjE/TNK+NpuKB649ew7eO6DkfHp3DrtdSwaoVYWuJ0LxuLlTCb3tTN15t5rSwXq+dvG
         j8XBy6pZMUi8Ws3v50uCEnCfheqLAiZSQWlUZglGQZTtUVW5sBDjRTocGQNKZDsbvBKX
         hFW3czicD8lK5ylxeCKlUZCcI1FmgT6AKfJQl4r7Z9yhfuMppe053sYPQqJpnNSGKNgb
         qSQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=UaGSgT1rbPoNIUsnFhw2dKGfxppFu6+AxAWorBNHUyQ=;
        b=SBxioqTkcPfi6B6ZpGXI4vVMULZt56GVA855TtG4mmWc0VLsUycqeL52PCRzh2zSr6
         zmd1Qg79gRHADtMoMlPGRY4F8o1rem77Q1UcmDvZ/lQ5pFCk40I1UOiG8Sjq6Bt5GJ2d
         /QaYhAsxWJOxBHlScptsmJSDxUtdd0RPwG2XNjl5vc5Czskp6F65b8jp2IFt5Vs7aIC4
         oT/VFicpOr1ZvBqfNUofAV/Vs0q9AijkXQaYZQ+mx5AFr9hQ4PfPo+PDkL2RmJl52Um2
         ZWEg45ydLV0+BvrMEP49jNbKlNrOzjcuXifmO8ZJQiHZQaPheBPlB1FeFmXyo9eO1EpU
         9FSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2019-08-05 header.b=UqX2RrbY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v5si7107273oix.197.2020.01.13.23.35.20;
        Mon, 13 Jan 2020 23:35:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2019-08-05 header.b=UqX2RrbY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729040AbgANHeX (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Tue, 14 Jan 2020 02:34:23 -0500
Received: from aserp2120.oracle.com ([141.146.126.78]:35940 "EHLO
        aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728801AbgANHeX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Jan 2020 02:34:23 -0500
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
        by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00E7TEk6172803;
        Tue, 14 Jan 2020 07:34:17 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc
 : subject : message-id : mime-version : content-type : in-reply-to;
 s=corp-2019-08-05; bh=UaGSgT1rbPoNIUsnFhw2dKGfxppFu6+AxAWorBNHUyQ=;
 b=UqX2RrbYPdbrG/nSi5qkg+qJTqYER8ULcgZLNlOWEWuPxvBtbUOu52kYpqZEZjan4ag6
 SPR1MVg6xKQQaWhlkpsaG3VJBJLexAthvvnAeg6AmmrhBmFxFCA3xG7odkRO3jXtn0Mh
 khq0j1BdIsRyN9vHsj//w32DiPRuZpYugEwSydTbtgku8HIGV2grRcS/ohZ4wJBQxwl7
 HYpiRQKJcT7bc3/bsoXkb7kjq5o9/AwzF/0K3C0u1D0Iu24bi7QGrbRbcpQRa8/2m/ZT
 mQ2dHv+oXSUrPP/CPVjqdin78wieHkKQp/UfbfII84oqI9xwTN5VwCz8WrmkTrvHzXB6 dQ== 
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80])
        by aserp2120.oracle.com with ESMTP id 2xf73tm0d9-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 14 Jan 2020 07:34:17 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1])
        by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00E7TLZB188445;
        Tue, 14 Jan 2020 07:34:16 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])
        by userp3030.oracle.com with ESMTP id 2xh2sc29cu-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 14 Jan 2020 07:34:16 +0000
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18])
        by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 00E7YEx9010906;
        Tue, 14 Jan 2020 07:34:14 GMT
Received: from kili.mountain (/129.205.23.165)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Mon, 13 Jan 2020 23:34:13 -0800
Date:   Tue, 14 Jan 2020 10:34:06 +0300
From:   Dan Carpenter <dan.carpenter@oracle.com>
To:     Jean Delvare <khali@linux-fr.org>,
        Daniel Kurtz <djkurtz@chromium.org>
Cc:     linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzbot <syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com>
Subject: [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done()
Message-ID: <20200114073406.qaq3hbrhtx76fkes@kili.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0000000000009586b2059c13c7e1@google.com>
X-Mailer: git-send-email haha only kidding
User-Agent: NeoMutt/20170113 (1.7.2)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9499 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=100 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=100 mlxscore=100 mlxlogscore=-1000
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1911140001 definitions=main-2001140065
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9499 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=100 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=100 clxscore=1011
 lowpriorityscore=0 mlxscore=100 impostorscore=0 mlxlogscore=-1000
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1911140001 definitions=main-2001140065
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Assigning "priv->data[-1] = priv->len;" obviously doesn't make sense.
What it does is it ends up corrupting the last byte of priv->len so
priv->len becomes a very high number.

Reported-by: syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com
Fixes: d3ff6ce40031 ("i2c-i801: Enable IRQ for byte_by_byte transactions")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Untested.

 drivers/i2c/busses/i2c-i801.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
index f5e69fe56532..420d8025901e 100644
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -584,7 +584,6 @@ static void i801_isr_byte_done(struct i801_priv *priv)
 					"SMBus block read size is %d\n",
 					priv->len);
 			}
-			priv->data[-1] = priv->len;
 		}
 
 		/* Read next byte */
-- 
2.11.0