• Jeremy Compostella's avatar
    i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA · 89c6efa6
    Jeremy Compostella authored
    On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
    greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
    data out of the msgbuf1 array boundary.
    
    It is possible from a user application to run into that issue by
    calling the I2C_SMBUS ioctl with data.block[0] greater than
    I2C_SMBUS_BLOCK_MAX + 1.
    
    This patch makes the code compliant with
    Documentation/i2c/dev-interface by raising an error when the requested
    size is larger than 32 bytes.
    
    Call Trace:
     [<ffffffff8139f695>] dump_stack+0x67/0x92
     [<ffffffff811802a4>] panic+0xc5/0x1eb
     [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
     [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
     [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
     [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
     [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
     [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
     [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
     [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
     [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
    Signed-off-by: default avatarJeremy Compostella <jeremy.compostella@intel.com>
    Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    89c6efa6
i2c-core-smbus.c 18.6 KB