lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9782f44e-4e01-4e5d-cc50-ab9e2219085c@linux.intel.com>
Date:   Tue, 16 Jun 2020 16:22:30 +0300
From:   Jarkko Nikula <jarkko.nikula@...ux.intel.com>
To:     Sultan Alsawaf <sultan@...neltoast.com>,
        Aaron Ma <aaron.ma@...onical.com>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        Benjamin Tissoires <benjamin.tissoires@...hat.com>,
        Hans de Goede <hdegoede@...hat.com>,
        HungNien Chen <hn.chen@...dahitech.com>,
        Jiri Kosina <jikos@...nel.org>,
        Kai-Heng Feng <kai.heng.feng@...onical.com>,
        linux-i2c@...r.kernel.org, linux-input@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Mika Westerberg <mika.westerberg@...ux.intel.com>,
        Pavel Balan <admin@...ma.net>, Tin Huynh <tnhuynh@....com>,
        Wolfram Sang <wsa@...nel.org>,
        You-Sheng Yang <vicamo.yang@...onical.com>
Subject: Re: [PATCH 1/2] i2c: designware: Only check the first byte for SMBus
 block read length

On 6/15/20 12:02 AM, Sultan Alsawaf wrote:
> From: Sultan Alsawaf <sultan@...neltoast.com>
> 
> SMBus block reads can be broken because the read function will just skip
> over bytes it doesn't like until reaching a byte that conforms to the
> length restrictions for block reads. This is problematic when it isn't
> known if the incoming payload is indeed a conforming block read.
> 
> According to the SMBus specification, block reads will only send the
> payload length in the first byte, so we can fix this by only considering
> the first byte in a sequence for block read length purposes.
> 
> Fixes: c3ae106050b9 ("i2c: designware: Implement support for SMBus block read and write")
> Signed-off-by: Sultan Alsawaf <sultan@...neltoast.com>
> ---
>   drivers/i2c/busses/i2c-designware-master.c | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/i2c/busses/i2c-designware-master.c b/drivers/i2c/busses/i2c-designware-master.c
> index d6425ad6e6a3..16d38b8fc19a 100644
> --- a/drivers/i2c/busses/i2c-designware-master.c
> +++ b/drivers/i2c/busses/i2c-designware-master.c
> @@ -398,7 +398,6 @@ i2c_dw_recv_len(struct dw_i2c_dev *dev, u8 len)
>   	len += (flags & I2C_CLIENT_PEC) ? 2 : 1;
>   	dev->tx_buf_len = len - min_t(u8, len, dev->rx_outstanding);
>   	msgs[dev->msg_read_idx].len = len;
> -	msgs[dev->msg_read_idx].flags &= ~I2C_M_RECV_LEN;
>   
>   	return len;
>   }

Please update the comment about masking the flag a few lines above this 
change.

> @@ -430,10 +429,11 @@ i2c_dw_read(struct dw_i2c_dev *dev)
>   			u32 flags = msgs[dev->msg_read_idx].flags;
>   
>   			regmap_read(dev->map, DW_IC_DATA_CMD, &tmp);
> -			/* Ensure length byte is a valid value */
> -			if (flags & I2C_M_RECV_LEN &&
> -			    tmp <= I2C_SMBUS_BLOCK_MAX && tmp > 0) {
> -				len = i2c_dw_recv_len(dev, tmp);
> +			if (flags & I2C_M_RECV_LEN) {
> +				/* Ensure length byte is a valid value */
> +				if (tmp <= I2C_SMBUS_BLOCK_MAX && tmp > 0)
> +					len = i2c_dw_recv_len(dev, tmp);
> +				msgs[dev->msg_read_idx].flags &= ~I2C_M_RECV_LEN;
>   			}
>   			*buf++ = tmp;
>   			dev->rx_outstanding--;

With above comment change this looks good to me.

-- 
Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ