| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250615232857.491602-1-alexguo1023@gmail.com>
Date: Sun, 15 Jun 2025 19:28:57 -0400
From: Alex Guo <alexguo1023@...il.com>
To: jdelvare@...e.com
Cc: alexguo1023@...il.com,
andi.shyti@...nel.org,
linux-i2c@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] i2c: i801: Fix out-of-bounds bug
The data->block[0] variable comes from user. Without proper check,
the variable may be very large to cause an out-of-bounds bug.
Fix this bug by checking the value of data->block[0] first.
Similar commit:
1. commit 39244cc7548 ("i2c: ismt: Fix an out-of-bounds bug in
ismt_access()")
2. commit 92fbb6d1296 ("i2c: xgene-slimpro: Fix out-of-bounds
bug in xgene_slimpro_i2c_xfer()")
Signed-off-by: Alex Guo <alexguo1023@...il.com>
---
drivers/i2c/busses/i2c-i801.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
index a7f89946dad4..7503418be39a 100644
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -527,6 +527,8 @@ static int i801_block_transaction_by_block(struct i801_priv *priv,
if (read_write == I2C_SMBUS_WRITE) {
len = data->block[0];
+ if (len < 1 || len > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
iowrite8(len, SMBHSTDAT0(priv));
ioread8(SMBHSTCNT(priv)); /* reset the data buffer index */
iowrite8_rep(SMBBLKDAT(priv), data->block + 1, len);
--
2.34.1
Powered by blists - more mailing lists