| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3b69c4b6-2cbb-4cc3-8bc7-cccb96ad6d8e@huawei.com>
Date: Tue, 14 Oct 2025 11:25:40 +0800
From: Wang Liang <wangliang74@...wei.com>
To: <wsa+renesas@...g-engineering.com>, <dhowells@...hat.com>,
<rostedt@...dmis.org>
CC: <yuehaibing@...wei.com>, <zhangchangzhong@...wei.com>,
<linux-kernel@...r.kernel.org>, <linux-i2c@...r.kernel.org>
Subject: Re: [PATCH] i2c: dev: Fix field-spanning write in
__do_trace_smbus_write()
在 2025/9/18 19:39, Wang Liang 写道:
> A field-spanning write warning was observed with following output:
>
> ------------[ cut here ]------------
> memcpy: detected field-spanning write (size 86) of single field "entry->buf" at ./include/trace/events/smbus.h:60 (size 34)
> WARNING: CPU: 1 PID: 2646 at ./include/trace/events/smbus.h:60
> CPU: 1 UID: 0 PID: 2646 Comm: syz.0.310 Not tainted 6.17.0-rc5+ #5 PREEMPT(none)
> RIP: 0010:do_trace_event_raw_event_smbus_write.constprop.0+0x37a/0x520 include/trace/events/smbus.h:23
> Call Trace:
> <TASK>
> __do_trace_smbus_write include/trace/events/smbus.h:23 [inline]
> trace_smbus_write include/trace/events/smbus.h:23 [inline]
> __i2c_smbus_xfer.part.0+0x5ce/0x9a0 drivers/i2c/i2c-core-smbus.c:572
> __i2c_smbus_xfer+0xa3/0x1a0 drivers/i2c/i2c-core-smbus.c:566
> i2c_smbus_xfer drivers/i2c/i2c-core-smbus.c:546 [inline]
> i2c_smbus_xfer+0x208/0x3c0 drivers/i2c/i2c-core-smbus.c:536
> i2cdev_ioctl_smbus+0x2cd/0x850 drivers/i2c/i2c-dev.c:389
> i2cdev_ioctl+0x3bb/0x800 drivers/i2c/i2c-dev.c:478
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:598 [inline]
> __se_sys_ioctl fs/ioctl.c:584 [inline]
> __x64_sys_ioctl+0x191/0x210 fs/ioctl.c:584
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0x5d/0x2d0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> </TASK>
>
> Similar to previous commit 57f312b95593 ("i2c: rtl9300: Fix out-of-bounds
> bug in rtl9300_i2c_smbus_xfer"), the data->block[0] is used for length and
> it comes from user. Add check for the variable to avoid out-of-bounds bug.
>
> Fixes: 8a325997d95d ("i2c: Add message transfer tracepoints for SMBUS [ver #2]")
> Signed-off-by: Wang Liang <wangliang74@...wei.com>
> ---
> drivers/i2c/i2c-dev.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
> index e9577f920286..b00961561134 100644
> --- a/drivers/i2c/i2c-dev.c
> +++ b/drivers/i2c/i2c-dev.c
> @@ -386,6 +386,12 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
> if (read_write == I2C_SMBUS_READ)
> temp.block[0] = I2C_SMBUS_BLOCK_MAX;
> }
> +
> + if (temp.block[0] > I2C_SMBUS_BLOCK_MAX) {
> + dev_dbg(&client->adapter->dev, "block[0] out of range in ioctl I2C_SMBUS.\n");
> + return -EINVAL;
> + }
> +
> res = i2c_smbus_xfer(client->adapter, client->addr, client->flags,
> read_write, command, size, &temp);
> if (!res && ((size == I2C_SMBUS_PROC_CALL) ||
ping
Powered by blists - more mailing lists