[SRU][F:linux-bluefield][PATCH v1 0/1] UBUNTU: SAUCE:
asmaa at nvidia.com
Thu Jul 1 13:49:48 UTC 2021
There could be stack overflow in mlxbf_i2c_smbus_start_transaction().
memcpy() is called in a loop while 'operation->length' upper bound is not
checked and 'data_idx' also increments.
The operation length is verified by the caller functions so it cannot exceed
I2C_SMBUS_BLOCK_MAX bytes (32 bytes) for each operation that is a part of the
write. Data_desc array is 128 bytes in size. So potentially a request which
consists of 4 writes, 32 bytes each can trigger an off-by-one or off-by-two
overflow, because the first byte of data_desc is used by addr, effectively
decreasing the available data_desc buffer size by one. Functions like
mlx_smbus_i2c_block_func() that prepare the request also set the length of the
first write operation to one and store the command id there, so the target buffer
size again decreases data_desc by one, making it two bytes less than expected.
* Add a check for "operation->length" and data_idx and return error if reached upper bound.
* Test the i2c-mlxbf.c driver using IPMB functionality.
This fix returns a negative value to indicate that a transaction has failed. So it will catch more transactions failures.
More information about the kernel-team