Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3027754ybt; Mon, 29 Jun 2020 13:17:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwQA5xpMSwaCZuiwc4h4s6EWMxvX50I7eyUJ6tgA24eWUaOQi1CdxgDelQa5Nt6kY/Xd5Y9 X-Received: by 2002:a50:ab5c:: with SMTP id t28mr19447133edc.209.1593461844441; Mon, 29 Jun 2020 13:17:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593461844; cv=none; d=google.com; s=arc-20160816; b=fOcHxfMYIf/wWnkACp/EVaolds6Z78HHJrRs9KtHIjj27/liHfyV6yxajzJMbHsfhS t7mRZSy+Z/NQ/O4GOuS0YyF+ru1Pg8yOm+xOmOaz8UKNBofGuDDi/YPoxmPro1/7BhHq jZpDvwEI5H9Oadk4bZkI403LfW/UE2Sw+kq2zSU5NxmV9pdWrYADrs6vA32kdpF2/7Z1 TdCuHKwfnWhign5M3oEN0GKHmlOwFCqFzqoH2LLiV4iv2xtMH3OHyHUfm2ubWOg+VlRx TNvql+X871jDmTKfyzk91dX46zQgYpK07NH/7WlVWxA6U0vy/8uZVDCn6El6RMmio4U5 +pHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=rMZOLQVb7KoMuI1kIfxXOH3K9j0I28QCCH95C87GC3g=; b=k35f/D0b3L+skmMJh78L9eJpevykvfM7zu2aT8TbsInVGcrE9iVq71LbUhcDJAYhRN 2mST6MmJT95qzTmZ+EzWoN+qvSEfvoGDPP2qgMAJKFVnWWeAlKnlBYGqWZm6PLr5OdR0 ja53PwdQqzXwoEIIGLGc37bv95WJZ5u9aKy/U0hJ31r/VTHhsx4jONuls71WCGBjYbug pF06Tik266PMdDOl0c1kiCOtapA6Ecb01QKR03IpiHVlb74M+2yQp4JWpEi5z7IbMBR1 kta2Po/Bq/S5hvkHk/+KZ1hF/spVBFrxFftK8CsGML6JxrKDtoBkOX8aCfWN1Xxnfu7C VOxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ni8H6Nh2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r8si312652edl.19.2020.06.29.13.17.01; Mon, 29 Jun 2020 13:17:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ni8H6Nh2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732828AbgF2UPm (ORCPT + 99 others); Mon, 29 Jun 2020 16:15:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:40562 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732819AbgF2TaR (ORCPT ); Mon, 29 Jun 2020 15:30:17 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 13A4A2527B; Mon, 29 Jun 2020 15:36:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593444987; bh=Gm6NB5OaSRX0V3apjQo3zJ4NUY4P+FuV6gxdeznFVKs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ni8H6Nh2mNh+MpoZHBmrw9hCm2+831VE6TwAv8nMO3rLHTjmSKBSjS/DULb4mlmBG 4rLTWEfIeg4Ek7hhBhgG/Q+/sH73iKeeTKV6gx+V8WSp6WDwtluRtXveD2nPGAWTlz /UMtj+2BBkKCxDgFdLmq5s+o/bIPbyYS5WWRJzFU= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Mans Rullgard , Wolfram Sang , Sasha Levin Subject: [PATCH 4.19 087/131] i2c: core: check returned size of emulated smbus block read Date: Mon, 29 Jun 2020 11:34:18 -0400 Message-Id: <20200629153502.2494656-88-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200629153502.2494656-1-sashal@kernel.org> References: <20200629153502.2494656-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.131-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-4.19.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 4.19.131-rc1 X-KernelTest-Deadline: 2020-07-01T15:34+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mans Rullgard [ Upstream commit 40e05200593af06633f64ab0effff052eee6f076 ] If the i2c bus driver ignores the I2C_M_RECV_LEN flag (as some of them do), it is possible for an I2C_SMBUS_BLOCK_DATA read issued on some random device to return an arbitrary value in the first byte (and nothing else). When this happens, i2c_smbus_xfer_emulated() will happily write past the end of the supplied data buffer, thus causing Bad Things to happen. To prevent this, check the size before copying the data block and return an error if it is too large. Fixes: 209d27c3b167 ("i2c: Emulate SMBus block read over I2C") Signed-off-by: Mans Rullgard [wsa: use better errno] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/i2c-core-smbus.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index 9cd66cabb84fd..8d6fad05b0c7f 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -497,6 +497,13 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, break; case I2C_SMBUS_BLOCK_DATA: case I2C_SMBUS_BLOCK_PROC_CALL: + if (msg[1].buf[0] > I2C_SMBUS_BLOCK_MAX) { + dev_err(&adapter->dev, + "Invalid block size returned: %d\n", + msg[1].buf[0]); + status = -EPROTO; + goto cleanup; + } for (i = 0; i < msg[1].buf[0] + 1; i++) data->block[i] = msg[1].buf[i]; break; -- 2.25.1