lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aXokxtlFTeZK8lP8@kuha>
Date: Wed, 28 Jan 2026 17:02:22 +0200
From: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
To: Jeremy Kerr <jk@...econstruct.com.au>
Cc: Wolfram Sang <wsa+renesas@...g-engineering.com>,
	Matt Johnston <matt@...econstruct.com.au>,
	linux-i2c@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 0/4] i2c: SMBus ARP support

Hi Jeremy,

There seems to be another a bit more severe issue with ARP and
i2c-dev. Right now it seems that anything that can access the i2c
character devices can silently (without the kernel having any idea
what's going on) assign a conflicting address to a dynamically
addressed ARP-device. Perhaps more importantly, the user space can
remove access to an ARP-device by silently assigning a new address to
it or simply by resetting its state with Prepare to ARP.

That can happen accidentally, but it can also be done intentionally.

Unless I've missed something, this really is a major threat that we
have to solve. Right now the only idea that I have is that we simply
prevent the i2c-dev from using the SMBus Default Address.

Wed, Jan 28, 2026 at 06:28:24PM +0800, Jeremy Kerr wrote:
> > Uh, no. You should only use interfaces like new_device with the
> > devices that really can't be detected in kernel, which isn't the case
> > here.
> 
> Who is deciding this "you should only" case? If the facility works, it's
> suitable. You raise some good points that may mean it is not a suitable
> approach for an ARP implementation, but we should still make sure we're
> taking the right approach.
> 
> [You seem pretty defensive here? I'm not saying no to the kernel
> implementation, just doing our homework before agreeing to it]

I'm sorry if I sounded arrogant, it was not my intention. We don't
control the user space, so we can not rely on it to enumerate devices
like this. We will not be always even able to wait for user space with
them. The kernel will also still need to be in full control of the
device, also with the ARP protocol, in order to deal with things like
conflicts. So consider for example hotplugged devices that are not
ARP-capable. If the device has a conflicting address with a
dynamically addressed ARP-device, then kernel really has to be able to
assign new address to the ARP-device completely independently.

> > So why would you want involve the user space at all since it would
> > just add complexity and limitations without any benefits?
> 
> Because we have fewer risks implementing this in userspace.
> 
> As an example, you currently seem to have a stack information leak in
> the proposed Get UDID implementation, which would be much less of an
> issue for the equivalent protocol handling implemented in userspace.

If there are bugs in the code then we need to fix them. Can you please
comment to the patch that has the problem?

> > - You still need to deliver the UDID to the kernel because of things
> >   like the PEC flag, and the drivers will also need information from
> >   it.
> 
> That seems like the main reason for requiring a kernel approach, in that
> we need more information than just the assigned address. It's not
> possible (at present) to specify the PEC flag through existing
> interfaces, right?
> 
> For me, this would be the deciding factor to go for a kernel approach,
> in that we otherwise cannot properly describe ARPed devices to the i2c
> subsystem. We *could* push a new_device with a UDID, but I'm not sure
> that's a great idea.
> 
> > - With the static (not hotplugged) devices you need to assign the
> >   correct ACPI node (or what ever fwnode) to the ARP-device.
> 
> Is that possible at present? how are you planning to represent ARPed
> devices in the DT - or more importantly, correlate DT (or other fwnode)
> nodes to discovered devices?

I don't know about DT, but with ACPI the devices are expected to
either be fixed address devices or just use target address that
matches to the address in the I2C Serial Bus Connection Resource
Descriptor. The mapping is not yet done, but the idea is to just
assign the detected UDID to the i2c-client that was already created
from the fwnode.

> > - When the device is hotplugged, you would need new ABI, like I think
> >   you already noticed, but this really does not make any sense. We
> >   simply don't need it, because the kernel can process this
> >   information on its own very simply.
> 
> Even this "very simple" implementation may have bugs.
> 
> Assuming we go with a kernel approach: For the MCTP case, for full ARP
> support of MCTP endpoints, we would still need to consume a hotplug
> event that indicates that the device is available at its new address
> - there is no kernel driver bound for the remote MCTP endpoints. This
> event would be consumed by the (existing) MCTP infrastructure in order
> to start MCTP enumeration. Is this something you have looked at
> already? If so, if you can send an example of an actual event, I will
> look at the mctpd part of this.

We will have the address attribute file that the user space can use.
If the address changes uevent will be send it.

thanks,

-- 
heikki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ