Received: by 2002:ab2:7903:0:b0:1fb:b500:807b with SMTP id a3csp1452811lqj; Tue, 4 Jun 2024 01:50:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUGyacBb/eHak7wt04TorwX67fbcVfpM75E5TjI9VgjZHr2o51gXlvmkVC2jr77/eRz9xf5fA4sijae1Xww6Moz4qx47yciGvhq6InwBg== X-Google-Smtp-Source: AGHT+IHjRHHxh7xNL8WlGUjAn+KRwVlGYrfP+KYewl+kEBbISp5OP8WAEspUoRc/tTLYJDVkoY30 X-Received: by 2002:a05:6358:e49e:b0:199:a0e3:f8 with SMTP id e5c5f4694b2df-19b490c8e96mr1395919755d.29.1717491046060; Tue, 04 Jun 2024 01:50:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717491046; cv=pass; d=google.com; s=arc-20160816; b=P7FIe8JpPySu89AVK7BQhmkY6wF7r3dnJo+oohpZq2yihznxOC6tMFFv7Nc5h+nuHk +KnKBbVCQO6ahzind5iwukFb2FmF9J+Tn2i6m3c5KB/76jZAW9Zq4bIEU02sHZgjeozt MEb2Iarls1U/eNBtuWyNrcL/MjaOBzuicQng1gQZ03IFP7zdl7PbijgMGaQED/P0kbCI pClGOpPQbpw+fVtinxaYUOOKICnTntYp5llQ9wPjC765OzaELu+DAGfhaWT4azAVX6Ft PLvbB6JjW4GC8pf7clveQEE1KOUqXWDVW5Tqv/kXrR4gKASGEROVhnjeH8r8MKmcR5vC 1pMQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=9m0udGVcBfGslrF6YCgHx585x/QcfuEfa9X406f+ogE=; fh=rAt2b0PVd/7B2PABYf88aYDj8mG/GsvsYuQeZnmyt3Q=; b=eLHAMhfo5rmtTMosO0vCyWi1aNm2t3+yIpO2fhC7AxAHykeQGYMzq5yx2tQ+zF+wte 4kv/BUS/v/elDhT2H84e7Ti6OIw2eBl2iLUl9zYh5AfPVfdGeFzEtPb7Emkim5/d6JeR pZJAGQ1qq1n96hzHV0aSNGAO2PY6iKnlSvZ2L2KbwLrC+BZKWaLAVgQHVeB1fnKW1wyG hJx4aT/+hYUsdSt110WwypzPZ1BV/jP5DoB/32osU/JdaNSq6BUUybxS9LldUhmIQZKW zQ9W1F7u7lFc4AHBgnzA+2yjKnmcdiGLshsWrLncH6Vr7CqU3ivVXs/BZUJHYK2rdhCz DdYA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@sang-engineering.com header.s=k1 header.b=FJ6agKLZ; arc=pass (i=1 spf=pass spfdomain=sang-engineering.com dkim=pass dkdomain=sang-engineering.com); spf=pass (google.com: domain of linux-kernel+bounces-200276-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-200276-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6c35c1819c5si7741011a12.651.2024.06.04.01.50.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Jun 2024 01:50:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-200276-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@sang-engineering.com header.s=k1 header.b=FJ6agKLZ; arc=pass (i=1 spf=pass spfdomain=sang-engineering.com dkim=pass dkdomain=sang-engineering.com); spf=pass (google.com: domain of linux-kernel+bounces-200276-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-200276-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id AF7AC281822 for ; Tue, 4 Jun 2024 08:50:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E2C82142E8F; Tue, 4 Jun 2024 08:50:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=sang-engineering.com header.i=@sang-engineering.com header.b="FJ6agKLZ" Received: from mail.zeus03.de (www.zeus03.de [194.117.254.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D688142E71 for ; Tue, 4 Jun 2024 08:50:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=194.117.254.33 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717491038; cv=none; b=U3CJYmGe+9ZvuE1HClfDRGasbtiL/Vr4TLcoZU0X0PFOstPOQD0rAEybxYNJT1yEr9dKIt8Tp+YIqMSrCrysySIRyz1/xtBrqrnKzwntcso3ipWLMZCInvEyRDmyHF83B2unrp2cSHwxHKZkuDJ5LIaTbAG/pOHYVEG3yeigemI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717491038; c=relaxed/simple; bh=/82jAxl1bZX5xtR/X9gizbSQ2/4wMrIRGo3/dkUnlT0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FUCfRY9CGRsR8KRDWUkEgbXnBorFqWjKhHTcFoHn1qpGD9ilA608GhPGm7TuzsxDxJBN9Gq37d8p/ossX02fhwb+bBlhbtRvnEOS1j/5kHjTE8HgHMQNJSXzAdq4UwGO0Vye1jJDejb9zpUf9mhWTThCGEmaj/qBX7yzcyxB1LI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sang-engineering.com; spf=pass smtp.mailfrom=sang-engineering.com; dkim=pass (2048-bit key) header.d=sang-engineering.com header.i=@sang-engineering.com header.b=FJ6agKLZ; arc=none smtp.client-ip=194.117.254.33 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sang-engineering.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sang-engineering.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= sang-engineering.com; h=date:from:to:cc:subject:message-id :references:mime-version:content-type:in-reply-to; s=k1; bh=9m0u dGVcBfGslrF6YCgHx585x/QcfuEfa9X406f+ogE=; b=FJ6agKLZJSbSFnGfeZay qwhVAeYvizTy72wVpjvbp6NKJQuYQvoAiah/GQNrLsR7KlZpWQcRlX/RZiA/79pz A+Dwj7VS6SgV82Gb9w80ZhNEmQzUMKXZea7bG2iO9zcbRJU6xq7sRzbDKbSOKT1t TCjbKOAnc6MFqSjlzFuKWESadlK7fGS3BD9XdpwKHk6NF8Ug9qm/DmJdOaL/3c8y UDBQ/R50KXnN5mc8nsKC+1HXz4Q5Rm7PgTuLukTVZTRzvG0fneFZjv6MSxsfOjSe 7WONQm+LJ7ON0bI3JbSOVFzsQ8visq03LhDzRRrouI/7XbUEcXYW8rALk8WWYiAS RA== Received: (qmail 2254511 invoked from network); 4 Jun 2024 10:50:30 +0200 Received: by mail.zeus03.de with ESMTPSA (TLS_AES_256_GCM_SHA384 encrypted, authenticated); 4 Jun 2024 10:50:30 +0200 X-UD-Smtp-Session: l3s3148p1@psbEigwakq0gAwDPXzLGAH1eNELjOc3g Date: Tue, 4 Jun 2024 10:50:30 +0200 From: Wolfram Sang To: Jean Delvare Cc: linux-renesas-soc@vger.kernel.org, Baruch Siach , linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org, Peter Rosin Subject: Re: [PATCH] i2c: smbus: fix NULL function pointer dereference Message-ID: Mail-Followup-To: Wolfram Sang , Jean Delvare , linux-renesas-soc@vger.kernel.org, Baruch Siach , linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org, Peter Rosin References: <20240426064408.7372-1-wsa+renesas@sang-engineering.com> <1e626d93f4220cc348300bbc61089de32300122d.camel@suse.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ksynbm66oyue3y2r" Content-Disposition: inline In-Reply-To: <1e626d93f4220cc348300bbc61089de32300122d.camel@suse.de> --ksynbm66oyue3y2r Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Jean, > I have a hard time establishing a formal link between the reported bug > and the commit listed above. I do understand that it wouldn't make > sense to register an i2c_adapter with neither .master_xfer nor > .smbus_xfer set before .reg_slave was added to struct i2c_algorithm, > but there were no checks in i2c-core preventing it from happening. Well, yes, correct. > It was also possible for any (broken) device driver to call > __i2c_transfer() without first checking if plain I2C transfers were > actually supported by the i2c_adapter. I would argue that such an issue > should have been fixed at the device driver level by checking for the > I2C_FUNC_I2C functionality flag before calling __i2c_transfer(). That's > a theoretical issue though as I'm not aware of any device driver having > this issue. In theory, checking against I2C_FUNC_I2C should happen. In practice, most I2C drivers do not do this. Being picky here could results in bad user experience because of OOPS. If we really want to enforce checking I2C_FUNC_I2C, then we should have this safety net while we convert all users. No, actually, I think we always should have some safety nets. > The call stack in Baruch's report shows that the real issue is with > i2c_smbus_xfer_emulated() being called with the i2c bus lock already > held, and thus having to call __i2c_transfer() instead of > i2c_transfer(). This code path did not exist before commit 63453b59e411 > ("i2c: smbus: add unlocked __i2c_smbus_xfer variant"), which was added > in kernel v4.19. Therefore I claim that CVE-2024-35984 only affects > kernel v4.19 and newer. Do we agree on that? (There is a CVE for it??) For Baruch's case, this is true. But there are __i2c_transfer users all over the tree, they are all potentially vulnerable, or? > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if (!adap->algo->master_xfer= ) { > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0dev_dbg(&adap->dev, "I2C level transfers not supported= \n"); > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0return -EOPNOTSUPP; > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0} > > + >=20 > Not related specifically to this commit, as it is only moving a check > which already existed before, but this looks inefficient to me. >=20 > We end up performing the check with every I2C-level transfer, while the > availability of such support can almost always be checked once and for > all in the I2C device driver (i2c-dev and i2c_smbus_xfer_emulated being > the exceptions). >=20 > I see two ways for us to reach this check: > * __i2c_transfer() or i2c_transfer() gets called directly by a device > driver. This driver should have checked for the I2C_FUNC_I2C > functionality flag before calling either function. If they did not, > it's a driver bug, which should be fixed in the driver in question. I see the performance penalty, yet I prefer handling the buggy driver gracefully because kicking off I2C transfers is not a hot path. Maybe we could turn the dev_dbg into something louder to make people aware that there is a bug? > Note that i2c-dev currently lacks this check, I think it should be > added. True, it should be a role-model of a good citizen :) > * __i2c_transfer() gets called by i2c_smbus_xfer_emulated(). We should > add a check for I2C_FUNC_I2C in __i2c_smbus_xfer() before calling this > function. This is more or less what Baruch proposed initially, and I > think it would have been a more efficient fix. As I said above, more efficient but not thorough. One driver not checking I2C_FUNC_I2C and boom... > And if you are concerned about functionality flags not being set > properly (specifically I2C_FUNC_I2C being set while .master_xfer isn't > set [1]) then we should add a consistency check at i2c_adapter > registration time, so again it's done once and for all and we don't > have to check again and again at transfer time. I think this check is worth to have. It is not complete because drivers may still not check the flag, but it is one step to be more robust. > Or is this optimization not worth it? I think so. It is one pointer check against a kernel oopsing somewhere somewhen. > [1] BTW, looking at the only two in-tree slave-only I2C adapter > drivers, i2c-at91-slave and i2c-designware-slave, both are setting > functionality flags other than I2C_FUNC_SLAVE. Unless I don't > understand how the slave functionality works, this is a bug. I'll > prepare and post patches later today. Thanks for doing that! Happy hacking, Wolfram --ksynbm66oyue3y2r Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAmZe1VEACgkQFA3kzBSg KbYpeQ//dIw4KlFvx97wH/kz2omtgShRsM4PBlclKbm20ZkoYdTr1F5Rya2uE3tm +xEF83Pg/m3t64S2PVpLIhfQmN0u3z7/+hcPH6CpXE0hGpLoO41JHPELd5p9FYB2 LS300jBoSgcLryw8IAFjR3YQA/UaSeXk5OHKyAZgJPJTdY+aDFCFbJnJnAl2hyEs pEirJeX0Ajqp7B01YcCeD5AeImMQQalBV2zHYlKfmmCTN4w9NQj969igBi0O6gSA XcLxno7rqOamgSmdcouxEI7e1uSWdnIReAyw8nGKfZ9bzYKJUa8C9cBfJ7JJ6XGt Rb3Y8INN6rJZv9V4oi+5xzNCEYaiyYDgALMp0OfMG664isMzaVMT7DqTo8S8Qw7H 4MMDmSQJTYIKoh2XpKABL8USm3SDKEglAoSN+RD0wEuEOu5BGDKMQqlOIukQwfqf ssQuLVklbLrtMgNsxJibDBdMYJnOYfBYoNljVaRs9MIf0oypT6zO7Px7wv2sYyGo HpUcbFmovXAlmqwljNACIqAYms9Kw4P/istl//wd+yr6MI5Qkx0IftQiC6/bqf5e mdYbqOuXNbwnVLd8nGMVRMYUMxTU+LeC1clNWAXzBhlgAqFo2gQmZMgsEll3X0Jq g2qHB8KoF8KlqulH7WBm7SRL2zmbCaV5xqN0BSozutvjqs0kJgY= =eDfQ -----END PGP SIGNATURE----- --ksynbm66oyue3y2r--