kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   e9b03ca6c86b8820e44dda48f287cfca4f855d43
  2.   patches.suse
  3.   i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
Blob History Raw
Lee, Chun-Yi e9b03c 
From: Wei Chen <harperchen1110@gmail.com>
Lee, Chun-Yi e9b03c 
Date: Tue, 14 Mar 2023 16:54:21 +0000
Lee, Chun-Yi e9b03c 
Subject: i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
Lee, Chun-Yi e9b03c 
Patch-mainline: v6.3-rc4
Lee, Chun-Yi e9b03c 
Git-commit: 92fbb6d1296f81f41f65effd7f5f8c0f74943d15
Lee, Chun-Yi e9b03c 
References: bsc#1210715 CVE-2023-2194
Lee, Chun-Yi e9b03c
Lee, Chun-Yi e9b03c 
The data->block[0] variable comes from user and is a number between
Lee, Chun-Yi e9b03c 
0-255. Without proper check, the variable may be very large to cause
Lee, Chun-Yi e9b03c 
an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
Lee, Chun-Yi e9b03c
Lee, Chun-Yi e9b03c 
Fix this bug by checking the value of writelen.
Lee, Chun-Yi e9b03c
Lee, Chun-Yi e9b03c 
Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform")
Lee, Chun-Yi e9b03c 
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Lee, Chun-Yi e9b03c 
Cc: stable@vger.kernel.org
Lee, Chun-Yi e9b03c 
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Lee, Chun-Yi e9b03c 
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Lee, Chun-Yi e9b03c 
Acked-by: Lee, Chun-Yi <jlee@suse.com>
Lee, Chun-Yi e9b03c 
---
Lee, Chun-Yi e9b03c 
 drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++
Lee, Chun-Yi e9b03c 
 1 file changed, 3 insertions(+)
Lee, Chun-Yi e9b03c
Lee, Chun-Yi e9b03c 
diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c
Lee, Chun-Yi e9b03c 
index 63259b3ea5ab..3538d36368a9 100644
Lee, Chun-Yi e9b03c 
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
Lee, Chun-Yi e9b03c 
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
Lee, Chun-Yi e9b03c 
@@ -308,6 +308,9 @@ static int slimpro_i2c_blkwr(struct slimpro_i2c_dev *ctx, u32 chip,
Lee, Chun-Yi e9b03c 
 	u32 msg[3];
Lee, Chun-Yi e9b03c 
 	int rc;
Lee, Chun-Yi e9b03c
Lee, Chun-Yi e9b03c 
+	if (writelen > I2C_SMBUS_BLOCK_MAX)
Lee, Chun-Yi e9b03c 
+		return -EINVAL;
Lee, Chun-Yi e9b03c 
+
Lee, Chun-Yi e9b03c 
 	memcpy(ctx->dma_buffer, data, writelen);
Lee, Chun-Yi e9b03c 
 	paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,
Lee, Chun-Yi e9b03c 
 			       DMA_TO_DEVICE);
Lee, Chun-Yi e9b03c 
--
Lee, Chun-Yi e9b03c 
2.35.3
Lee, Chun-Yi e9b03c
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.