On 03.02.2022 17:49, Jonas Malaco wrote:
> Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer
> size") revealed that ee1004_eeprom_read() did not properly limit how
> many bytes to read at once.
>
> In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the
> length to read as an u8. If count == 256 after taking into account the
> offset and page boundary, the cast to u8 overflows. And this is common
> when user space tries to read the entire EEPROM at once.
>
> To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already
> the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows.
>
> Fixes: effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Jonas Malaco <jonas@xxxxxxxxxxxx>
> ---
> drivers/misc/eeprom/ee1004.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/misc/eeprom/ee1004.c b/drivers/misc/eeprom/ee1004.c
> index bb9c4512c968..9fbfe784d710 100644
> --- a/drivers/misc/eeprom/ee1004.c
> +++ b/drivers/misc/eeprom/ee1004.c
> @@ -114,6 +114,9 @@ static ssize_t ee1004_eeprom_read(struct i2c_client *client, char *buf,
> if (offset + count > EE1004_PAGE_SIZE)
> count = EE1004_PAGE_SIZE - offset;
>
> + if (count > I2C_SMBUS_BLOCK_MAX)
> + count = I2C_SMBUS_BLOCK_MAX;
> +
> return i2c_smbus_read_i2c_block_data_or_emulated(client, offset, count, buf);
> }
>
>
> base-commit: 88808fbbead481aedb46640a5ace69c58287f56a
Reviewed-by: Heiner Kallweit <hkallweit1@xxxxxxxxx>
