lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jun 2022 19:43:03 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Dan Carpenter <dan.carpenter@...cle.com>, Mika Westerberg <mika.westerberg@...ux.intel.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Zheyu Ma <zheyuma97@...il.com> Subject: [PATCH 5.18 02/67] i2c: ismt: prevent memory corruption in ismt_access() From: Dan Carpenter <dan.carpenter@...cle.com> commit 690b2549b19563ec5ad53e5c82f6a944d910086e upstream. The "data->block[0]" variable comes from the user and is a number between 0-255. It needs to be capped to prevent writing beyond the end of dma_buffer[]. Fixes: 5e9a97b1f449 ("i2c: ismt: Adding support for I2C_SMBUS_BLOCK_PROC_CALL") Reported-and-tested-by: Zheyu Ma <zheyuma97@...il.com> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> Reviewed-by: Mika Westerberg <mika.westerberg@...ux.intel.com> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- drivers/i2c/busses/i2c-ismt.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/i2c/busses/i2c-ismt.c +++ b/drivers/i2c/busses/i2c-ismt.c @@ -528,6 +528,9 @@ static int ismt_access(struct i2c_adapte case I2C_SMBUS_BLOCK_PROC_CALL: dev_dbg(dev, "I2C_SMBUS_BLOCK_PROC_CALL\n"); + if (data->block[0] > I2C_SMBUS_BLOCK_MAX) + return -EINVAL; + dma_size = I2C_SMBUS_BLOCK_MAX; desc->tgtaddr_rw = ISMT_DESC_ADDR_RW(addr, 1); desc->wr_len_cmd = data->block[0] + 1;
Powered by blists - more mailing lists