Re: [PATCH] i2c: cp2615: prevent buffer overflow in cp2615_i2c_master_xfer()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dan Carpenter <dan.carpenter@xxxxxxxxxx> ezt írta (időpont: 2022. okt.
12., Sze, 16:52):
>
> The "msg->len" can be controlled by the user via the ioctl.  We need to
> ensure that it is not too large.

Does the I2C core not check that submitted msgs do not exceed maximums
specified in `i2c_adapter_quirks`? @WSA?
If not, other drivers may also have this issue.

> Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
>  drivers/i2c/busses/i2c-cp2615.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> index 3ded28632e4c..ad1d6e548503 100644
> --- a/drivers/i2c/busses/i2c-cp2615.c
> +++ b/drivers/i2c/busses/i2c-cp2615.c
> @@ -231,6 +231,8 @@ cp2615_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
>                 } else {
>                         i2c_w.read_len = 0;
>                         i2c_w.write_len = msg->len;
> +                       if (msg->len > sizeof(i2c_w.data))
> +                               return -EINVAL;

Please move this up to line 225, as an invalid `read_len` is also an
error and should bail out accordingly.

>                         memcpy(&i2c_w.data, msg->buf, i2c_w.write_len);
>                 }
>                 ret = cp2615_i2c_send(usbif, &i2c_w);
> --
> 2.35.1
>
>

Bence



[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux