Hi Wei,
On Tue, Mar 14, 2023 at 01:57:34PM +0000, Wei Chen wrote:
> The data->block[0] variable comes from user and is a number between
> 0-255. Without proper check, the variable may be very large to cause
> an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
>
> Fix this bug by checking the value of data->block[0].
>
> Signed-off-by: Wei Chen <harperchen1110@xxxxxxxxx>
> ---
> drivers/i2c/busses/i2c-xgene-slimpro.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c
> index 63259b3ea5ab..bc9a3e7e0c96 100644
> --- a/drivers/i2c/busses/i2c-xgene-slimpro.c
> +++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
> @@ -391,6 +391,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr,
> &data->block[0]);
>
> } else {
> +
> + if (data->block[0] + 1 > I2C_SMBUS_BLOCK_MAX)
> + return -EINVAL;
> +
> ret = slimpro_i2c_blkwr(ctx, addr, command,
> SMBUS_CMD_LEN,
> SLIMPRO_IIC_SMB_PROTOCOL,
> @@ -408,6 +412,10 @@ static int xgene_slimpro_i2c_xfer(struct i2c_adapter *adap, u16 addr,
> IIC_SMB_WITHOUT_DATA_LEN,
> &data->block[1]);
> } else {
> +
> + if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
> + return -EINVAL;
> +
you could eventually put this check inside slimpro_i2c_blkwr() so
that you have it once and for all, for everyone.
Andi
> ret = slimpro_i2c_blkwr(ctx, addr, command,
> SMBUS_CMD_LEN,
> SLIMPRO_IIC_I2C_PROTOCOL,
> --
> 2.25.1
>
