APPLIED: [SRU][F:linux-bluefield][PATCH v2 0/1] UBUNTU: SAUCE: i2c-mlxbf.c: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()

Stefan Bader stefan.bader at canonical.com
Wed Jul 14 07:57:20 UTC 2021


On 02.07.21 15:04, Asmaa Mnebhi wrote:
> BugLink: https://bugs.launchpad.net/bugs/1934304
> 
> SRU Justification:
> 
> [Impact]
> 
> There could be stack overflow in mlxbf_i2c_smbus_start_transaction().
> memcpy() is called in a loop while 'operation->length' upper bound is not
> checked and 'data_idx' also increments.
> 
> More details:
> The operation length is verified by the caller functions so it cannot exceed
> I2C_SMBUS_BLOCK_MAX bytes (32 bytes) for each operation that is a part of the
> write. Data_desc array is 128 bytes in size. So potentially a request which
> consists of 4 writes, 32 bytes each can trigger an off-by-one or off-by-two
> overflow, because the first byte of data_desc is used by addr, effectively
> decreasing the available data_desc buffer size by one. Functions like
> mlx_smbus_i2c_block_func() that prepare the request also set the length of the
> first write operation to one and store the command id there, so the target buffer
> size again decreases data_desc by one, making it two bytes less than expected.
> 
> [Fix]
> 
> * Add a check for "operation->length" and data_idx and return error if reached upper bound.
> 
> [Test Case]
> 
> * Test the i2c-mlxbf.c driver using IPMB functionality.
> 
> [Regression Potential]
> 
> This fix returns a negative value to indicate that a transaction has failed. So it will catch more transactions failures.
> 
Applied to focal:linux-bluefield/master-next. Thanks.

-Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210714/c5d12e9c/attachment.sig>


More information about the kernel-team mailing list