ACK: [SRU][F:linux-bluefield][PATCH v2 1/1] UBUNTU: SAUCE: i2c-mlxbf.c: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()
Stefan Bader
stefan.bader at canonical.com
Tue Jul 6 07:41:06 UTC 2021
On 02.07.21 15:04, Asmaa Mnebhi wrote:
> BugLink: https://bugs.launchpad.net/bugs/1934304
>
> There could be stack overflow in mlxbf_i2c_smbus_start_transaction().
> memcpy() is called in a loop while 'operation->length' upper bound is not checked and 'data_idx' also increments.
>
> Reviewed-by: Khalil Blaiech <kblaiech at nvidia.com>
> Signed-off-by: Asmaa Mnebhi <asmaa at nvidia.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
>
> ---
> drivers/i2c/busses/i2c-mlxbf.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-mlxbf.c b/drivers/i2c/busses/i2c-mlxbf.c
> index d3c7bc21e941..05c3025c9772 100644
> --- a/drivers/i2c/busses/i2c-mlxbf.c
> +++ b/drivers/i2c/busses/i2c-mlxbf.c
> @@ -770,6 +770,8 @@ static int mlx_smbus_start_transaction(struct mlx_i2c_priv *priv,
> if (flags & I2C_F_WRITE) {
> write_en = 1;
> write_len += operation->length;
> + if (data_idx + operation->length > MASTER_DATA_DESC_SIZE)
> + return -ENOBUFS;
> memcpy(data_desc + data_idx,
> operation->buffer, operation->length);
> data_idx += operation->length;
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210706/5701a948/attachment.sig>
More information about the kernel-team
mailing list