| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <39437e40a6f14c5189e86cffb0b6abb5@huawei.com>
Date: Tue, 9 Sep 2025 09:30:03 +0000
From: "zhangxiaomeng (A)" <zhangxiaomeng13@...wei.com>
To: Steven Rostedt <rostedt@...dmis.org>
CC: "mhiramat@...nel.org" <mhiramat@...nel.org>, "dhowells@...hat.com"
<dhowells@...hat.com>, "wsa@...nel.org" <wsa@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-trace-kernel@...r.kernel.org" <linux-trace-kernel@...r.kernel.org>
Subject: 回复: [PATCH] i2c: Fix OOB access in trace_event_raw_event_smbus_write
I previously attempted to apply a fix within the i2cdev_ioctl_smbus function. While this approach was successful in preventing the warning, I found that the required changes were quite extensive. The WARN is triggered by the trace_smbus_write tracepoint, which performs a memcpy(__entry->buf, data->block, len) for write operations on three specific block protocols: I2C_SMBUS_BLOCK_DATA, I2C_SMBUS_I2C_BLOCK_DATA, and I2C_SMBUS_BLOCK_PROC_CALL. To fix this in i2cdev_ioctl_smbus, it would be necessary to add checks for all three of these cases, which makes the solution rather complex.
--xiaomeng
-----邮件原件-----
发件人: Steven Rostedt <rostedt@...dmis.org>
发送时间: 2025年9月3日 3:50
收件人: zhangxiaomeng (A) <zhangxiaomeng13@...wei.com>
抄送: mhiramat@...nel.org; dhowells@...hat.com; wsa@...nel.org; linux-kernel@...r.kernel.org; linux-trace-kernel@...r.kernel.org
主题: Re: [PATCH] i2c: Fix OOB access in trace_event_raw_event_smbus_write
On Thu, 21 Aug 2025 01:23:12 +0000
Xiaomeng Zhang <zhangxiaomeng13@...wei.com> wrote:
> The smbus_write tracepoint copies __entry->len bytes into a fixed
> I2C_SMBUS_BLOCK_MAX + 2 buffer. Oversized lengths (e.g., 46) exceed
> the destination and over-read the source buffer, triggering OOB
> warning:
>
> memcpy: detected field-spanning write (size 48) of single field
> "entry->buf" at include/trace/events/smbus.h:60 (size 34)
>
> Clamp the copy size to I2C_SMBUS_BLOCK_MAX + 2 before memcpy().
> This only affects tracing and does not change I2C transfer behavior.
>
> Fixes: 8a325997d95d ("i2c: Add message transfer tracepoints for SMBUS
> [ver #2]")
> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13@...wei.com>
> ---
> include/trace/events/smbus.h | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/include/trace/events/smbus.h
> b/include/trace/events/smbus.h index 71a87edfc46d..e306d8b928c3 100644
> --- a/include/trace/events/smbus.h
> +++ b/include/trace/events/smbus.h
> @@ -57,6 +57,8 @@ TRACE_EVENT_CONDITION(smbus_write,
> case I2C_SMBUS_I2C_BLOCK_DATA:
> __entry->len = data->block[0] + 1;
> copy:
> + if (__entry->len > I2C_SMBUS_BLOCK_MAX + 2)
> + __entry->len = I2C_SMBUS_BLOCK_MAX + 2;
> memcpy(__entry->buf, data->block, __entry->len);
> break;
> case I2C_SMBUS_QUICK:
The code has:
switch (protocol) {
case I2C_SMBUS_BYTE_DATA:
__entry->len = 1;
goto copy;
case I2C_SMBUS_WORD_DATA:
case I2C_SMBUS_PROC_CALL:
__entry->len = 2;
goto copy;
case I2C_SMBUS_BLOCK_DATA:
case I2C_SMBUS_BLOCK_PROC_CALL:
case I2C_SMBUS_I2C_BLOCK_DATA:
__entry->len = data->block[0] + 1;
copy:
memcpy(__entry->buf, data->block, __entry->len);
break;
case I2C_SMBUS_QUICK:
case I2C_SMBUS_BYTE:
case I2C_SMBUS_I2C_BLOCK_BROKEN:
default:
__entry->len = 0;
}
I only see two calls to the copy where one is len = 1 and the other is len = 2. Why not put the check before the copy label?
-- Steve
Powered by blists - more mailing lists