Re: [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 13, 2022 at 08:02:04PM +0200, Bence Csókás wrote:
> Dan Carpenter <dan.carpenter@xxxxxxxxxx> ezt írta (időpont: 2022. okt.
> 12., Sze, 16:52):
> >
> > The "msg->len" can be controlled by the user via the ioctl.  We need to
> > ensure that it is not too large.
> 
> Does the I2C core not check that submitted msgs do not exceed maximums
> specified in `i2c_adapter_quirks`? @WSA?
> If not, other drivers may also have this issue.
> 

I fixed another driver as well.

The other related bugs we've been fixing recently are related to
i2cdev_ioctl().  So it's not 100% the same, but similar.


> > Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > ---
> >  drivers/i2c/busses/i2c-cp2615.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> > index 3ded28632e4c..ad1d6e548503 100644
> > --- a/drivers/i2c/busses/i2c-cp2615.c
> > +++ b/drivers/i2c/busses/i2c-cp2615.c
> > @@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
> >                 } else {
> >                         i2c_w.read_len = 0;
> >                         i2c_w.write_len = msg->len;
> > +                       if (msg->len > sizeof(i2c_w.data))
> > +                               return -EINVAL;
> 
> Please move this up to line 225, as an invalid `read_len` is also an
> error and should bail out accordingly.
> 

I don't see the bug.  Is that something that requires knowledge of the
hardware?

regards,
dan carpenter




[Index of Archives]     [Linux GPIO]     [Linux SPI]     [Linux Hardward Monitoring]     [LM Sensors]     [Linux USB Devel]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux