Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5924849pxb;
        Mon, 14 Feb 2022 10:50:00 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyhQ5C7IciwGq4OTT+pMEBGVQEIF6GDaUFkbowxPZVIg6jYpcJZdSoRNK766j+e3Bvuv38i
X-Received: by 2002:a62:e508:: with SMTP id n8mr382385pff.83.1644864600031;
        Mon, 14 Feb 2022 10:50:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1644864600; cv=none;
        d=google.com; s=arc-20160816;
        b=wau6u8wtEAWtHEChx/Gd09nPMtDunM1tPBF49ALKpY5iEaGO91lgX8OS0Kbj4LqTrH
         8gYtqkVVwGaq/10ur2CyBAg3yj9u0AVw5aHnpgex0qbrgpteaXAB9G+i8exUSIBWvXeP
         4vX9j0BgxEYIjPETCDYL4+QviJDgT9GhNrNtlFWWz5cu1oGcYJsrVO5StGBPNAR6exGI
         O5RzIL+3uOwxic5TaInyAf7Cq861pEQSjSbNeCcajDUUSLBp72lHKdVbdc7+t1yQslwq
         661DVfhT/2/uvguFNwPISm+GgnX4HlwSgqYvly5Rr6rsE6qNMT3tXNSWmrgebasLYEs6
         psgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=iHtk6J7YQp1K+cfsqYLf8Ey7BIQV3pVPIyl8uNSw0Is=;
        b=ATaQgMqwZYtRqtdxHueG4Q7SsUu/cCmNjv6RzQ5pVz2Gj74TIAieFke8D4cTq0wT8f
         T+thE56ggcHfUbGY8/BjKwN9NHvkAZL+ay6Rj/kEsSHBiGjyO9hBPXqlptY3r8KOQ0R4
         04Jv5gnGFxyL+iOEbjO/GVh8nkF8BJk4gaxWshY/5eQ9WBRn5FYTYtrAiUUTqWi0ORcQ
         AcTzo+Q81SAQQkcMLOPEtTpFmDF51gQt2YNgJackgU7/cYBFi5e35gWhPIgvoMt+NE4d
         qEioOhVNQDy9qQ/L5hpfi/2t36EJCPvh5bbpSqj1s5SvSJeJ8KJMkBKM97+ud6NjMpgF
         zzZw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OHBy7WCJ;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id f17si32534839pfj.87.2022.02.14.10.49.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Feb 2022 10:50:00 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OHBy7WCJ;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 50E6D7DE17;
	Mon, 14 Feb 2022 10:49:50 -0800 (PST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244718AbiBNJnY (ORCPT <rfc822;andrew.melo@gmail.com>
        + 99 others); Mon, 14 Feb 2022 04:43:24 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:33930 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S245299AbiBNJlV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Feb 2022 04:41:21 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F1ED2652FE;
        Mon, 14 Feb 2022 01:37:18 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id A38B7B80DCC;
        Mon, 14 Feb 2022 09:37:17 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id CA2D8C340E9;
        Mon, 14 Feb 2022 09:37:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1644831436;
        bh=wDqnvc6CLUgfoEy20HXPoeHFbVA62YBNGu44nsE+AWA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=OHBy7WCJhS/wCGxImxuLoeAAhCtPcEU6tjtG/YWeZrVGXRRvagqbnGMXdIGh90xA/
         g3Ii57gzZIc5mxG0N7mLSMxhjtyTgllcBV8PJPUtK/D0qDn6VVqQ9I0mq9/unOvOqI
         QD/iW810+4/MnUzaLojut5fBt0Ox9vpxYKh5QDjM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Heiner Kallweit <hkallweit1@gmail.com>,
        Jonas Malaco <jonas@protocubo.io>
Subject: [PATCH 5.4 53/71] eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX
Date:   Mon, 14 Feb 2022 10:26:21 +0100
Message-Id: <20220214092453.828207928@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220214092452.020713240@linuxfoundation.org>
References: <20220214092452.020713240@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jonas Malaco <jonas@protocubo.io>

commit c0689e46be23160d925dca95dfc411f1a0462708 upstream.

Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer
size") revealed that ee1004_eeprom_read() did not properly limit how
many bytes to read at once.

In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the
length to read as an u8.  If count == 256 after taking into account the
offset and page boundary, the cast to u8 overflows.  And this is common
when user space tries to read the entire EEPROM at once.

To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already
the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows.

Fixes: effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size")
Cc: stable@vger.kernel.org
Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: Jonas Malaco <jonas@protocubo.io>
Link: https://lore.kernel.org/r/20220203165024.47767-1-jonas@protocubo.io
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/eeprom/ee1004.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/misc/eeprom/ee1004.c
+++ b/drivers/misc/eeprom/ee1004.c
@@ -82,6 +82,9 @@ static ssize_t ee1004_eeprom_read(struct
 	if (unlikely(offset + count > EE1004_PAGE_SIZE))
 		count = EE1004_PAGE_SIZE - offset;
 
+	if (count > I2C_SMBUS_BLOCK_MAX)
+		count = I2C_SMBUS_BLOCK_MAX;
+
 	status = i2c_smbus_read_i2c_block_data_or_emulated(client, offset,
 							   count, buf);
 	dev_dbg(&client->dev, "read %zu@%d --> %d\n", count, offset, status);