linux_old1/drivers/i2c
Jeremy Compostella 89c6efa61f i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.

It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.

This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.

Call Trace:
 [<ffffffff8139f695>] dump_stack+0x67/0x92
 [<ffffffff811802a4>] panic+0xc5/0x1eb
 [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
 [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
 [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
 [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
 [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
 [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
 [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
2018-01-17 15:35:21 +01:00
..
algos i2c: algo-bit: add support for I2C_M_STOP 2017-06-23 20:45:43 +02:00
busses i2c: piix4: Fix port number check on release 2017-12-12 23:27:04 +01:00
muxes Merge branch 'i2c/for-4.15' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-11-14 17:52:21 -08:00
Kconfig Merge branch 'i2c/for-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2016-12-15 12:56:35 -08:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
i2c-boardinfo.c i2c: i2c-boardinfo: fix memory leaks on devinfo 2017-11-27 19:14:29 +01:00
i2c-core-acpi.c i2c: core: Allow empty id_table in ACPI case as well 2017-07-31 15:50:33 +02:00
i2c-core-base.c i2c: core: decrease reference count of device node in i2c_unregister_device 2018-01-17 15:23:31 +01:00
i2c-core-of.c i2c: Convert to using %pOF instead of full_name 2017-07-31 17:19:35 +02:00
i2c-core-slave.c i2c: break out slave support into separate file 2017-05-31 21:01:03 +02:00
i2c-core-smbus.c i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA 2018-01-17 15:35:21 +01:00
i2c-core.h i2c: core: Allow empty id_table in ACPI case as well 2017-07-31 15:50:33 +02:00
i2c-dev.c i2c compat ioctls: move to ->compat_ioctl() 2017-09-20 01:02:27 -04:00
i2c-mux.c i2c: mux: only print failure message on error 2017-05-15 18:49:11 +02:00
i2c-slave-eeprom.c i2c: Drop owner assignment from i2c_driver 2015-08-10 08:37:35 +02:00
i2c-smbus.c i2c: i2c-smbus: add of_i2c_setup_smbus_alert 2017-10-28 23:42:47 +02:00
i2c-stub.c i2c: stub: fix build warning regression 2017-06-15 23:22:11 +02:00