NACK/Cmnt: [SRU][F:linux-bluefield][PATCH 0/1] UBUNTU: SAUCE:
Asmaa Mnebhi
asmaa at nvidia.com
Fri Jul 2 12:59:40 UTC 2021
Oh, I didn’t put the whole thing in one line. Sorry about that. Will send a new patch
-----Original Message-----
From: Stefan Bader <stefan.bader at canonical.com>
Sent: Friday, July 2, 2021 2:17 AM
To: Asmaa Mnebhi <asmaa at nvidia.com>; kernel-team at lists.ubuntu.com
Cc: Meriton Tuli <meriton at nvidia.com>; Khalil Blaiech <kblaiech at nvidia.com>
Subject: NACK/Cmnt: [SRU][F:linux-bluefield][PATCH 0/1] UBUNTU: SAUCE:
On 01.07.21 15:49, Asmaa Mnebhi wrote:
> BugLink: https://bugs.launchpad.net/bugs/1934304
>
> There could be stack overflow in mlxbf_i2c_smbus_start_transaction().
> memcpy() is called in a loop while 'operation->length' upper bound is not checked and 'data_idx' also increments.
>
> Reviewed-by: Khalil Blaiech <kblaiech at nvidia.com>
> Signed-off-by: Asmaa Mnebhi <asmaa at nvidia.com>
>
> ---
The subject/commit title looks to be partial only.
-Stefan
> drivers/i2c/busses/i2c-mlxbf.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-mlxbf.c
> b/drivers/i2c/busses/i2c-mlxbf.c index d3c7bc21e941..05c3025c9772
> 100644
> --- a/drivers/i2c/busses/i2c-mlxbf.c
> +++ b/drivers/i2c/busses/i2c-mlxbf.c
> @@ -770,6 +770,8 @@ static int mlx_smbus_start_transaction(struct mlx_i2c_priv *priv,
> if (flags & I2C_F_WRITE) {
> write_en = 1;
> write_len += operation->length;
> + if (data_idx + operation->length > MASTER_DATA_DESC_SIZE)
> + return -ENOBUFS;
> memcpy(data_desc + data_idx,
> operation->buffer, operation->length);
> data_idx += operation->length;
>
More information about the kernel-team
mailing list