lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon,  3 Oct 2022 01:43:45 -0700
From:   Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     harshit.m.mogalapalli@...cle.com, george.kennedy@...cle.com,
        darren.kenny@...cle.com, vegard.nossum@...cle.com,
        stable@...r.kernel.org, Wolfram Sang <wsa@...-dreams.de>,
        linux-i2c@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 4.14 0/1] Fix NULL dereference in i2cdev_ioctl_rdwr()

This backport patch addresses a NULL pointer dereference bug in 4.14.y

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: i2cdev_ioctl_rdwr.isra.2+0xe4/0x360
PGD 13af50067 P4D 13af50067 PUD 13504c067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Dumping ftrace buffer:
  (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17421 Comm: rep Not tainted 4.14.295 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
task: ffff88807c43a080 task.stack: ffffc90000d0c000
RIP: 0010:i2cdev_ioctl_rdwr.isra.2+0xe4/0x360
RSP: 0018:ffffc90000d0fdf0 EFLAGS: 00010297
RAX: ffff88807c43a080 RBX: 0000000000000000 RCX: 0000000000000000
....
Call Trace:
  i2cdev_ioctl+0x1a5/0x2a0
  ? i2cdev_ioctl_rdwr.isra.2+0x360/0x360
  do_vfs_ioctl+0xac/0x840
  ? syscall_trace_enter+0x159/0x4a0
  SyS_ioctl+0x7e/0xb0
  do_syscall_64+0x8d/0x220
....
 RIP: i2cdev_ioctl_rdwr.isra.2+0xe4/0x360 RSP: ffffc90000d0fdf0
....
 Kernel panic - not syncing: Fatal exception
 Rebooting in 86400 seconds..

rdwr_pa[i].buf[0] is a NULL dereference when len=0, so to avoid
dereferencing zero-length buffer we add a check on len before
dereferencing.

I have tested only with the reproducer and the bug doesnot occur
after this patch.

This patch is only made for 4.14.y as other higher LTS branches
(>=4.19.y) already have the fix.

Thanks,
Harshit

Alexander Popov (1):
  i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()

 drivers/i2c/i2c-dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.37.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ