| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <72f9bef0-5f4d-4eef-b853-9d3f6be07004@gmail.com> Date: Sun, 10 Aug 2025 11:22:43 +0200 From: Jonas Jelonek <jelonek.jonas@...il.com> To: Sven Eckelmann <sven@...fation.org>, Wolfram Sang <wsa+renesas@...g-engineering.com> Cc: Chris Packham <chris.packham@...iedtelesis.co.nz>, Andi Shyti <andi.shyti@...nel.org>, Rob Herring <robh@...nel.org>, Krzysztof Kozlowski <krzk+dt@...nel.org>, linux-i2c@...r.kernel.org, Conor Dooley <conor+dt@...nel.org>, devicetree@...r.kernel.org, linux-kernel@...r.kernel.org, Markus Stockhausen <markus.stockhausen@....de>, Harshal Gohel <hg@...onwunderlich.de> Subject: Re: [PATCH v5 05/11] i2c: rtl9300: check if xfer length is valid On 10.08.2025 09:01, Sven Eckelmann wrote: > On Sunday, 10 August 2025 07:51:12 CEST Wolfram Sang wrote: >> On Sat, Aug 09, 2025 at 10:07:06PM +0000, Jonas Jelonek wrote: >>> Add an explicit check for the xfer length to 'rtl9300_i2c_config_xfer' >>> to make sure a length < 1 or > 16 isn't accepted. While there shouldn't >>> be a length > 16 because this is specified in the i2c_adapter_quirks, a >>> length of 0 may be passed. >> There is another quirk for this: I2C_AQ_NO_ZERO_LEN >> >> With that, you shouldn't need the code here. > I am a little bit lost here. Let us assume that i2c_smbus_write_byte_data() is > called - for example by an in-kernel driver. We would then have following call > chain: > > * i2c_smbus_write_byte_data > * i2c_smbus_xfer > * __i2c_smbus_xfer > * adapter->algo->smbus_xfer (aka rtl9300_i2c_smbus_xfer) > > But the quirk is only checked in i2c_check_for_quirks - and then on > `struct i2c_msg` and not `union i2c_smbus_data`. And this is only called by > __i2c_transfer (which is called by i2c_transfer, i2c_smbus_xfer_emulated, > ...). But on first glance, it didn't look like it will be called when using > i2c_smbus_write_byte_data - unless __i2c_smbus_xfer fails and must fall back > to i2c_smbus_xfer_emulated. I most likely missed something when doing a quick > check of the source code. Maybe you can point it out. Thanks Sven. I came to the same conclusion for now. The mentioned quirk doesn't seem to prevent this for smbus_xfer. However, it doesn't harm to add it. This probably applies to the existing quirks too, that they are not checked for. So I think this check is necessary. It also ensures that [1] is kept in its purpose more or less. To prevent any invalid length passed from everywhere. The implementation of Quick in this driver is also problematic because it passes a length of 0 internally. Thus, the next patch actually removes that completely. > And I might have to point out that I am currently not next to the actual HW to > check if my statement that adapter->algo->smbus_xfer == rtl9300_i2c_smbus_xfer > is really true. It's true, yes. See [2]. > Kind regards, > Sven Best regards, Jonas [1] https://lore.kernel.org/linux-i2c/20250809-i2c-rtl9300-multi-byte-v4-1-d71dd5eb6121@narfation.org/
Powered by blists - more mailing lists