[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aJB6u1WoNjiE-tZz@shikoro>
Date: Mon, 4 Aug 2025 11:17:47 +0200
From: Wolfram Sang <wsa+renesas@...g-engineering.com>
To: Sven Eckelmann <sven@...fation.org>
Cc: chris.packham@...iedtelesis.co.nz, Alex Guo <alexguo1023@...il.com>,
andi.shyti@...nel.org, linux-i2c@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] i2c: rtl9300: Fix out-of-bounds bug in
rtl9300_i2c_smbus_xfer
On Mon, Aug 04, 2025 at 10:18:53AM +0200, Sven Eckelmann wrote:
> On Monday, 16 June 2025 01:52:48 CEST Alex Guo wrote:
> > The data->block[0] variable comes from user. Without proper check,
> > the variable may be very large to cause an out-of-bounds bug.
> >
> > Fix this bug by checking the value of data->block[0] first.
> >
> > Similar commit:
> > 1. commit 39244cc7548 ("i2c: ismt: Fix an out-of-bounds bug in
> > ismt_access()")
> > 2. commit 92fbb6d1296 ("i2c: xgene-slimpro: Fix out-of-bounds
> > bug in xgene_slimpro_i2c_xfer()")
> [...]
>
> Please correct me but it looks like this fix was not yet applied to the tree.
> But Chris Packham pointed out that this conflicts with my fixes for SMBUS/
> SMBUS_I2C.
>
> I would like to add my patchset on top of this (to avoid problems with stable
> submission) and add the Fixes: and Cc: stable@...r.kernel.org.
>
> I hope it is ok for you when I would pick this up. I would resubmit the fixes
> patchset this evening (GMT+2).
>
> You can preview it at
> https://git.open-mesh.org/linux-merge.git/log/?h=b4/i2c-rtl9300-multi-byte
Yes, we can do that. In general, it doesn't make sense to add this check
when the ultimate goal is to support SMBus v3 which doesn't need the
check anymore. But if it is blocking further development, we can apply
this. The check will be removed when SMBus v3 support comes in.
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists