linux-kernel - [PATCH] i2c: dev: Fix field-spanning write in __do_trace_smbus

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <20250918113956.169348-1-wangliang74@huawei.com>
Date: Thu, 18 Sep 2025 19:39:56 +0800
From: Wang Liang <wangliang74@...wei.com>
To: <wsa+renesas@...g-engineering.com>, <dhowells@...hat.com>,
	<rostedt@...dmis.org>
CC: <yuehaibing@...wei.com>, <zhangchangzhong@...wei.com>,
	<wangliang74@...wei.com>, <linux-kernel@...r.kernel.org>,
	<linux-i2c@...r.kernel.org>
Subject: [PATCH] i2c: dev: Fix field-spanning write in __do_trace_smbus_write()

A field-spanning write warning was observed with following output:

  ------------[ cut here ]------------
  memcpy: detected field-spanning write (size 86) of single field "entry->buf" at ./include/trace/events/smbus.h:60 (size 34)
  WARNING: CPU: 1 PID: 2646 at ./include/trace/events/smbus.h:60
  CPU: 1 UID: 0 PID: 2646 Comm: syz.0.310 Not tainted 6.17.0-rc5+ #5 PREEMPT(none)
  RIP: 0010:do_trace_event_raw_event_smbus_write.constprop.0+0x37a/0x520 include/trace/events/smbus.h:23
  Call Trace:
   <TASK>
   __do_trace_smbus_write include/trace/events/smbus.h:23 [inline]
   trace_smbus_write include/trace/events/smbus.h:23 [inline]
   __i2c_smbus_xfer.part.0+0x5ce/0x9a0 drivers/i2c/i2c-core-smbus.c:572
   __i2c_smbus_xfer+0xa3/0x1a0 drivers/i2c/i2c-core-smbus.c:566
   i2c_smbus_xfer drivers/i2c/i2c-core-smbus.c:546 [inline]
   i2c_smbus_xfer+0x208/0x3c0 drivers/i2c/i2c-core-smbus.c:536
   i2cdev_ioctl_smbus+0x2cd/0x850 drivers/i2c/i2c-dev.c:389
   i2cdev_ioctl+0x3bb/0x800 drivers/i2c/i2c-dev.c:478
   vfs_ioctl fs/ioctl.c:51 [inline]
   __do_sys_ioctl fs/ioctl.c:598 [inline]
   __se_sys_ioctl fs/ioctl.c:584 [inline]
   __x64_sys_ioctl+0x191/0x210 fs/ioctl.c:584
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0x5d/0x2d0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
   </TASK>

Similar to previous commit 57f312b95593 ("i2c: rtl9300: Fix out-of-bounds
bug in rtl9300_i2c_smbus_xfer"), the data->block[0] is used for length and
it comes from user. Add check for the variable to avoid out-of-bounds bug.

Fixes: 8a325997d95d ("i2c: Add message transfer tracepoints for SMBUS [ver #2]")
Signed-off-by: Wang Liang <wangliang74@...wei.com>
---
 drivers/i2c/i2c-dev.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index e9577f920286..b00961561134 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -386,6 +386,12 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
 		if (read_write == I2C_SMBUS_READ)
 			temp.block[0] = I2C_SMBUS_BLOCK_MAX;
 	}
+
+	if (temp.block[0] > I2C_SMBUS_BLOCK_MAX) {
+		dev_dbg(&client->adapter->dev, "block[0] out of range in ioctl I2C_SMBUS.\n");
+		return -EINVAL;
+	}
+
 	res = i2c_smbus_xfer(client->adapter, client->addr, client->flags,
 	      read_write, command, size, &temp);
 	if (!res && ((size == I2C_SMBUS_PROC_CALL) ||
-- 
2.34.1