[PATCH 1/1] i2c: dev: check i2c_msg len before memdup_user() to prevent ZERO_SIZE_PTR deref

Alexander Popov <alex.popov@xxxxxxxxx> · Wed, 18 Apr 2018 03:16:45 +0300

Currently i2cdev_ioctl_rdwr() doesn't check i2c_msg len against zero
before calling memdup_user(). If this len is zero memdup_user() returns
ZERO_SIZE_PTR, which is later considered as valid since
IS_ERR(ZERO_SIZE_PTR) is false. That causes ZERO_SIZE_PTR deref oops.

Let's check i2c_msg len against zero before calling memdup_user().

This issue was triggered by syzkaller.

Signed-off-by: Alexander Popov <alex.popov@xxxxxxxxx>
---
 drivers/i2c/i2c-dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 036a03f..b9b6715 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -252,8 +252,8 @@ static noinline int i2cdev_ioctl_rdwr(struct i2c_client *client,
 
 	res = 0;
 	for (i = 0; i < nmsgs; i++) {
-		/* Limit the size of the message to a sane amount */
-		if (msgs[i].len > 8192) {
+		/* Check that the size is sane */
+		if (!msgs[i].len || msgs[i].len > 8192) {
 			res = -EINVAL;
 			break;
 		}
-- 
2.7.4







