| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5811d6f7-7305-4611-a06f-793343b0412e@wanadoo.fr> Date: Sat, 9 Aug 2025 21:54:39 +0200 From: Christophe JAILLET <christophe.jaillet@...adoo.fr> To: wajahat iqbal <wajahatiqbal22@...il.com>, gregkh@...uxfoundation.org Cc: linux-kernel@...r.kernel.org Subject: Re: [PATCH] misc: ds1682: fix out-of-bounds access in EEPROM functions Le 09/08/2025 à 17:54, wajahat iqbal a écrit : > Found a couple of issues in the ds1682 driver while reviewing the code: > > The EEPROM read/write functions don't check if offset and count exceed > the 10-byte EEPROM size, which could lead to out-of-bounds I2C access. > > Also replaced sprintf with scnprintf in the sysfs show function for > better safety. > > For reads beyond EEPROM size, return 0. For writes, return -EINVAL if > starting beyond bounds, otherwise truncate to fit within the EEPROM. > > Signed-off-by: Wajahat Iqbal <wajahatiqbal22@...il.com> > --- > drivers/misc/ds1682.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/ds1682.c b/drivers/misc/ds1682.c > index cb09e056531a..4cf4b43e5355 100644 > --- a/drivers/misc/ds1682.c > +++ b/drivers/misc/ds1682.c > @@ -92,7 +92,7 @@ static ssize_t ds1682_show(struct device *dev, > struct device_attribute *attr, > * Special case: the 32 bit regs are time values with 1/4s > * resolution, scale them up to milliseconds > */ > - return sprintf(buf, "%llu\n", (sattr->nr == 4) ? (val * 250) : val); > + return scnprintf(buf, PAGE_SIZE, "%llu\n", (sattr->nr == 4) ? (val * > 250) : val); > } > > static ssize_t ds1682_store(struct device *dev, struct device_attribute *attr, > @@ -163,6 +163,11 @@ static ssize_t ds1682_eeprom_read(struct file > *filp, struct kobject *kobj, > dev_dbg(&client->dev, "ds1682_eeprom_read(p=%p, off=%lli, c=%zi)\n", > buf, off, count); > > + if (off >= DS1682_EEPROM_SIZE) > + return 0; > + if (off + count > DS1682_EEPROM_SIZE) > + count = DS1682_EEPROM_SIZE - off; > + > rc = i2c_smbus_read_i2c_block_data(client, DS1682_REG_EEPROM + off, > count, buf); > if (rc < 0) > @@ -180,6 +185,11 @@ static ssize_t ds1682_eeprom_write(struct file > *filp, struct kobject *kobj, > dev_dbg(&client->dev, "ds1682_eeprom_write(p=%p, off=%lli, c=%zi)\n", > buf, off, count); > > + if (off >= DS1682_EEPROM_SIZE) > + return -EINVAL; > + if (off + count > DS1682_EEPROM_SIZE) > + count = DS1682_EEPROM_SIZE - off; > + > /* Write out to the device */ > if (i2c_smbus_write_i2c_block_data(client, DS1682_REG_EEPROM + off, > count, buf) < 0) Are these new tests really needed? Isn't it already done the same way by the core, because of the ".size = DS1682_EEPROM_SIZE" in ds1682_eeprom_attr? I'm' not really familiar with this code, but my understanding is that it goes thru sysfs_kf_bin_write() and sysfs_kf_bin_read(). CJ
Powered by blists - more mailing lists