Wolfram Sang <wsa@xxxxxxxxxxxxx> writes: > On Wed, Nov 15, 2017 at 12:54:09PM -0700, Compostella, Jeremy wrote: > > On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is > > greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes > > data out of the msgbuf1 boundary. > > > > It is possible from a user application to run into that issue by call > > the I2C_SMBUS ioctl with data.block[0] greater than > > I2C_SMBUS_BLOCK_MAX + 1. > From Documentation/i2c/dev-interface: > ioctl(file, I2C_SMBUS, struct i2c_smbus_ioctl_data *args) > Not meant to be called directly; instead, use the access functions > below. > Maybe we should add this info to the include file as well? > But I guess we still shouldn't OOPS on this misuse... I read that part of the documentation too. But still, I really think this is an issue as there should not exist a so easy to corrupt the Kernel stack. Thanks, Jeremy
