Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp338199ybv; Sat, 22 Feb 2020 04:45:46 -0800 (PST) X-Google-Smtp-Source: APXvYqzmZFpIw+hVKempTHgd9gOqtRUKHfsf6/TbCsFMPYniYHT8nCV1OFJ3hKftDpD0FiSQLw2j X-Received: by 2002:aca:cd46:: with SMTP id d67mr6063444oig.156.1582375546304; Sat, 22 Feb 2020 04:45:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582375546; cv=none; d=google.com; s=arc-20160816; b=KeERrpTyZf9pk9Zws4mIP7+48DpNRXTwzIHCZyYIqBPOCBpDnKbVHDGGyBJNBf6hoc GwFAP6+WDnR+0aD2x3fj95vx7fW9GnMLdEAadmRK7H4RNmq8KN6v8OxKnkD7sd0HPyw+ F63hPl4AWaGPBDihm5TF4jgmK4WUCZo2Aq0jun4m/N6Q94qqUv861fVqvBLR4KDpnc9e /++0/HlVd+3R4ZKAHc0aG4xjXBiexxPLWV5Oxg+RR01pkJQKh02QftW+RFC856Tq6Nk6 IP8LqJTbSo8BwqaA7buO4NZO+u5cpftFivImnfB8d3WA+7wxzasWmkC1a5AOzKAxacJa Vb8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=tCbJz33ROT0ey0ISdj29RY8muTq+l+5q3DBUaks/ues=; b=mxjwQhmmm8Fm3fa322unSN6yIRA2G0OaeCic6r+p3F21kix9D903InwrShclWoypd2 JOTJjJQgfpqyv3dk4Kytyr8WdQFavB23QiGPAaJuxGWEuJ0gS9wjkM/vkljxR4U65s2s ENkpvVfwl1jOUSx4L2K7rzXE+hgEUD0JlSvxho0BpkNEWQYQ6qiaaJikJl5h0rginnFf Ky8SvFvaQDSAVNHjalGRGc7ag7fb6fkPOvGHwCeX6C1+AmtgpnzDIV4zgNheK3vxoucI UQqjo6keKuZFoK8h+GEbxlbbpkzznslN1ceNdsDjZW6+c1wtsf0BwG9gX2ITxOKUTTiX hJNw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i19si2335800oik.272.2020.02.22.04.45.33; Sat, 22 Feb 2020 04:45:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727302AbgBVMp0 (ORCPT + 99 others); Sat, 22 Feb 2020 07:45:26 -0500 Received: from sauhun.de ([88.99.104.3]:53746 "EHLO pokefinder.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726839AbgBVMp0 (ORCPT ); Sat, 22 Feb 2020 07:45:26 -0500 Received: from localhost (p5486C6B7.dip0.t-ipconnect.de [84.134.198.183]) by pokefinder.org (Postfix) with ESMTPSA id 361D12C07F9; Sat, 22 Feb 2020 13:45:24 +0100 (CET) Date: Sat, 22 Feb 2020 13:45:23 +0100 From: Wolfram Sang To: Dan Carpenter Cc: Jean Delvare , Daniel Kurtz , linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot , Jarkko Nikula Subject: Re: [PATCH] i2c: i801: Fix memory corruption in i801_isr_byte_done() Message-ID: <20200222124523.GI1716@kunai> References: <0000000000009586b2059c13c7e1@google.com> <20200114073406.qaq3hbrhtx76fkes@kili.mountain> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="1E1Oui4vdubnXi3o" Content-Disposition: inline In-Reply-To: <20200114073406.qaq3hbrhtx76fkes@kili.mountain> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --1E1Oui4vdubnXi3o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2020 at 10:34:06AM +0300, Dan Carpenter wrote: > Assigning "priv->data[-1] =3D priv->len;" obviously doesn't make sense. > What it does is it ends up corrupting the last byte of priv->len so > priv->len becomes a very high number. >=20 > Reported-by: syzbot+ed71512d469895b5b34e@syzkaller.appspotmail.com > Fixes: d3ff6ce40031 ("i2c-i801: Enable IRQ for byte_by_byte transactions") > Signed-off-by: Dan Carpenter > --- Daniel, Jean: what do you think? Also, adding Jarkko to CC who works a lot with this driver... > Untested. >=20 > drivers/i2c/busses/i2c-i801.c | 1 - > 1 file changed, 1 deletion(-) >=20 > diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c > index f5e69fe56532..420d8025901e 100644 > --- a/drivers/i2c/busses/i2c-i801.c > +++ b/drivers/i2c/busses/i2c-i801.c > @@ -584,7 +584,6 @@ static void i801_isr_byte_done(struct i801_priv *priv) > "SMBus block read size is %d\n", > priv->len); > } > - priv->data[-1] =3D priv->len; > } > =20 > /* Read next byte */ > --=20 > 2.11.0 >=20 --1E1Oui4vdubnXi3o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAl5RImMACgkQFA3kzBSg KbZC0Q/+LOrn7S2BHakC6ciFfhoKlx1JKC1Ts+NkP4nKMIvrQMjYOREwWfvUvMRn a1el8fzdk5NbUIp9RVmh0yt+YKxLzcWKKAWjusc8yiTWgJXapVe2Cc2pT/xEER8A 3APVZAmE7QvSWqbcCjYkBB6KoicYVKvOlIq2sr8OBdE5ERqgUhkGWB9LUh9syAn2 qLCkfXj9emCWAvV4AvcLk21rG4MlpqMSmzJUlP+nx/fHOkaFAFcUGwj4pHb25iUd 2a/JWiPpQ2dRX0+jVFL4S0TVCKGjvnvBOr+N3Dt2zQkDa9Ci1HvwAvwTgoRH1qc2 kgmDm4A6po9WNgz8AhITH+IjuP5ozjEPQHixhOG9r2/BV3LrDnUuhoZboxd/WZSN 5BLgOQvXbM7kS30droYZDMKCN9hE/TvphA/LuN45/LrzoCLOkMeiJOFGSrLCXZ1c bjQuM41PRtsv/kcG4UHkoXCnt9b5f10Pe+qiw4pedI3+4yL1DGZLu6OQMIrO/Yih yPNHocAQNoiGIMEKx2mC6gHra+LkHAUsHI+xutxO77VRmiHhQwf+z82P0CMTQSWz 6gnfkZMG0YM1EASYLaa+7MGvd/Cglg+/oMr5cOfKvE6rZAZMg4kSuTmm0lFWd3eH t/YSAUEr8FsE32jUOjcShuLle3UDTeT6VHtCUPs9riSI28T0pR4= =hhzM -----END PGP SIGNATURE----- --1E1Oui4vdubnXi3o--