On Mon, Apr 01, 2019 at 01:54:41PM -0700, Connor O'Brien wrote: > From: Jeremy Compostella <jeremy.compostella@xxxxxxxxx> > > commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream. > > On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is > greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes > data out of the msgbuf1 array boundary. > > It is possible from a user application to run into that issue by > calling the I2C_SMBUS ioctl with data.block[0] greater than > I2C_SMBUS_BLOCK_MAX + 1. > > This patch makes the code compliant with > Documentation/i2c/dev-interface by raising an error when the requested > size is larger than 32 bytes. > > Call Trace: > [<ffffffff8139f695>] dump_stack+0x67/0x92 > [<ffffffff811802a4>] panic+0xc5/0x1eb > [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30 > [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320 > [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20 > [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320 > [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0 > [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490 > [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60 > [<ffffffff811f7869>] SyS_ioctl+0x79/0x90 > [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a > > Signed-off-by: Jeremy Compostella <jeremy.compostella@xxxxxxxxx> > Signed-off-by: Wolfram Sang <wsa@xxxxxxxxxxxxx> > Cc: stable@xxxxxxxxxx > [connoro@xxxxxxxxxx: 4.9 backport: adjust filename] > Signed-off-by: Connor O'Brien <connoro@xxxxxxxxxx> > --- > drivers/i2c/i2c-core.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) Thanks for these, now applied. greg k-h
