Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp118075pxb; Mon, 7 Feb 2022 07:34:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJyB5Tc1d59g8wMZGI9wZKH1JKnh3MjZUlfsX5G94/eufBYYIp6rj2FUxffQZosIjAqfvXii X-Received: by 2002:a05:6402:270a:: with SMTP id y10mr14847971edd.413.1644248061983; Mon, 07 Feb 2022 07:34:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644248061; cv=none; d=google.com; s=arc-20160816; b=Ihx+cZvBk2TwK6InwpG/bxiqrY2yZWBIh2TNw6slJ2tFv9OVA6e6n66DObzEHCk3NO fIH1mm559hpK48xL9qUq+VTeBk0dDFKEci0T7CLD6HK1wg9fW44Zd7cqxV70WqmLEd+2 ApxnFiY0wK77RqlN/gPIUu0JVq9ePQzGQjInnofCHe86KZocktywoZHipGHADQ7eOXL8 nVRaBGYE/sBXMpAQAJ0012US14hRGHQnvPTPrASkBmuDJzKbJAfLODMBCyFlYtjrrfY1 WSSMMbxpTNeBQdfkvDdbhtW3QQX1Z5WM1W+rJb+YEeefqkAQ6dPytZrc6ssNQde4Q7mx NTbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=SWhhT8jFmnU2pjoM0/QnnyBc9JunG/+wIXj29Er2ODU=; b=A4P9oVayh/qo4oH1kclw5o1fxKi1qN3gh9IWiBeoqKZVLySCuUwc9ltPf7tmVeaUmy Y+BslxZCBjK/8L7hyHDnGz+cUuhb6Ux82sALtYA/tKPtL3RPW1GuC0kIiYs2yX3qdhfO Fyjz+THmigRpHx4CRp+0jskDRf3jJOWrS9FkKW2K++JTmegZuntRhQCK4iPm4B5m6rZm aUlyXD/QQ/4+gTn5w2NrmYH6xqUAGVnR2t8KJ7jSpEBnjh/TdPeh8lVU+am6id4QOQ+l 1v+ci1IeunQIu025aOpl0vgPilO/CpphE5KYiK20YMsufqxbx4gA0UDJE5VeA2p8Qn7l +ZAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protocubo.io header.s=google header.b=AwjURXAs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protocubo.io Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e4si8808029ejs.21.2022.02.07.07.33.56; Mon, 07 Feb 2022 07:34:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@protocubo.io header.s=google header.b=AwjURXAs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protocubo.io Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352431AbiBCQvL (ORCPT + 99 others); Thu, 3 Feb 2022 11:51:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352419AbiBCQvK (ORCPT ); Thu, 3 Feb 2022 11:51:10 -0500 Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64A68C061714 for ; Thu, 3 Feb 2022 08:51:10 -0800 (PST) Received: by mail-oi1-x22a.google.com with SMTP id q186so4939235oih.8 for ; Thu, 03 Feb 2022 08:51:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protocubo.io; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=SWhhT8jFmnU2pjoM0/QnnyBc9JunG/+wIXj29Er2ODU=; b=AwjURXAsePvPFZJhH+OSnGku4Vh9TFmYnIeoBQS/eEW0NXTgZ51DGx2kTm0Y4ot/xd gPVzs77zllpgmtphMo3F0Kt43MqBp/ijLPe6VLm08OyItdSeSpuWT0Kn3mWoW9AUoLuI 9ZVSeEXWTev6q3diuxhfjcVlJE+3TEeyHHixxxj7Z0kyhLr7qP6L1J3Ib1+4E/A1hrdV mef4TxbI390vqGSuvz6CFMaehZo5HxOwBKUT1oL5Vht1ofz1CIXEGhws+KzoAh60BO/T XO/fCkCSb/QS9/UtaDWtCXo0SG4HFKi3JU+TBL4QqtVz4ONl8IY23qKd/Y3BoPqcWjae KXfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=SWhhT8jFmnU2pjoM0/QnnyBc9JunG/+wIXj29Er2ODU=; b=WH0rMmXdweFBeXfQGmNQdzRI6PBQ4PfG/6X/YvoR2jh433v+2mvxQNkWdnFnMgoXOn Ld6sVCjNHn1ZC4UPnk/cvB3emzPLEtarA5rAmyTMaOO4QBuXTRriAMJwl8w5MspKydkt tzh7Ykc1y4wjDvH5wPgAk8ruZF0NK5Ne8WK41aXdIFnCWV0xPpHd8+BJ+JiqXGeuo2sp GqW5hmjuF/9mYPcgPYdDVIqSbYdsVUmgV6J7MN3BQwKPVrw64amP3dXREghG6E1pNMLn kpsD3MlJ/rjLrJqrblNGPvlTqnmOmq7fR4MttiIhjrBmF0gLe+XM3/sbTI8xo7YYmIhz hqjQ== X-Gm-Message-State: AOAM533hNPGq1pxrUtFtsElNb44d1HKeV7IluUYaOdiYnpXrZYXCG9GZ NhM/IY104DSUCIJU6QCCdkIezQ== X-Received: by 2002:a05:6808:14c1:: with SMTP id f1mr7988292oiw.12.1643907069791; Thu, 03 Feb 2022 08:51:09 -0800 (PST) Received: from calvin.localdomain ([186.205.28.163]) by smtp.gmail.com with ESMTPSA id t20sm18348318oov.35.2022.02.03.08.51.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 08:51:09 -0800 (PST) From: Jonas Malaco To: Arnd Bergmann , Greg Kroah-Hartman Cc: Jonas Malaco , stable@vger.kernel.org, Heiner Kallweit , Wolfram Sang , linux-kernel@vger.kernel.org Subject: [PATCH] eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX Date: Thu, 3 Feb 2022 13:49:52 -0300 Message-Id: <20220203165024.47767-1-jonas@protocubo.io> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") revealed that ee1004_eeprom_read() did not properly limit how many bytes to read at once. In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the length to read as an u8. If count == 256 after taking into account the offset and page boundary, the cast to u8 overflows. And this is common when user space tries to read the entire EEPROM at once. To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows. Fixes: effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") Cc: stable@vger.kernel.org Signed-off-by: Jonas Malaco --- drivers/misc/eeprom/ee1004.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/misc/eeprom/ee1004.c b/drivers/misc/eeprom/ee1004.c index bb9c4512c968..9fbfe784d710 100644 --- a/drivers/misc/eeprom/ee1004.c +++ b/drivers/misc/eeprom/ee1004.c @@ -114,6 +114,9 @@ static ssize_t ee1004_eeprom_read(struct i2c_client *client, char *buf, if (offset + count > EE1004_PAGE_SIZE) count = EE1004_PAGE_SIZE - offset; + if (count > I2C_SMBUS_BLOCK_MAX) + count = I2C_SMBUS_BLOCK_MAX; + return i2c_smbus_read_i2c_block_data_or_emulated(client, offset, count, buf); } base-commit: 88808fbbead481aedb46640a5ace69c58287f56a -- 2.35.1