This is a note to let you know that I've just added the patch titled
i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
i2c-xgene-slimpro-fix-out-of-bounds-bug-in-xgene_slimpro_i2c_xfer.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 Mon Sep 17 00:00:00 2001
From: Wei Chen <harperchen1110@xxxxxxxxx>
Date: Tue, 14 Mar 2023 16:54:21 +0000
Subject: i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
From: Wei Chen <harperchen1110@xxxxxxxxx>
commit 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 upstream.
The data->block[0] variable comes from user and is a number between
0-255. Without proper check, the variable may be very large to cause
an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
Fix this bug by checking the value of writelen.
Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform")
Signed-off-by: Wei Chen <harperchen1110@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Andi Shyti <andi.shyti@xxxxxxxxxx>
Signed-off-by: Wolfram Sang <wsa@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
@@ -308,6 +308,9 @@ static int slimpro_i2c_blkwr(struct slim
u32 msg[3];
int rc;
+ if (writelen > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
memcpy(ctx->dma_buffer, data, writelen);
paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,
DMA_TO_DEVICE);
Patches currently in stable-queue which might be from harperchen1110@xxxxxxxxx are
queue-6.1/i2c-xgene-slimpro-fix-out-of-bounds-bug-in-xgene_slimpro_i2c_xfer.patch
