a7y18lte-ubports/android_kernel_samsung_a7y18lte
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c3a97e0a7f
android_kernel_samsung_a7y1.../drivers
History
Jeremy Compostella d8056bb93e i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA 
commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.

On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.

It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.

This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.

Call Trace:
 [<ffffffff8139f695>] dump_stack+0x67/0x92
 [<ffffffff811802a4>] panic+0xc5/0x1eb
 [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
 [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
 [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
 [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
 [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
 [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
 [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
[connoro@google.com: 4.9 backport: adjust filename]
Signed-off-by: Connor O'Brien <connoro@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-06 14:02:20 +02:00
..
accessibility
acpi
amba
android
ata
atm
auxdisplay
base
battery
battery_v2
bcma
block
bluetooth
bts
bus
ccic
cdrom
char
clk
clocksource
connector
cpufreq
cpuidle
crypto
dca
devfreq
dio
dma
dma-buf
edac
eisa
extcon extcon: usb-gpio: Don't miss event during suspend/resume 2020-04-06 11:16:41 +02:00
fingerprint
firewire
firmware
five
fmc
fpga
gator
gpio gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input 2020-04-06 13:01:31 +02:00
gps
gpu drm/vmwgfx: Don't double-free the mode stored in par->set_mode 2020-04-06 10:58:11 +02:00
gud
hid
hsi
hv
hwmon
hwspinlock
hwtracing stm class: Hide STM-specific options if STM is disabled 2020-04-06 13:03:45 +02:00
i2c i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA 2020-04-06 14:02:20 +02:00
ide
idle
iio
infiniband
input
iommu
ipack
irqchip
isdn mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S 2020-04-06 12:57:02 +02:00
leds
lguest
lightnvm
macintosh
mailbox
mcb
md
media media: v4l2-ctrls.c/uvc: zero v4l2_event 2020-04-06 10:58:18 +02:00
memory
memstick
message
mfd
misc
mmc mmc: mmc: fix switch timeout issue caused by jiffies precision 2020-04-06 12:56:54 +02:00
motor
mtd
muic
net mac8390: Fix mmio access size probe 2020-04-06 12:57:18 +02:00
nfc
ntb
nubus
nvdimm
nvme
nvmem
of
oprofile
parisc
parport
pci
pcmcia
perf
phy
pinctrl
platform
pnp
power
powercap
pps
ps3
ptp
pwm
rapidio
ras
regulator
remoteproc
reset
rpmsg
rtc rtc: Fix overflow when converting time64_t to rtc_time 2020-04-06 11:45:55 +02:00
s390 scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices 2020-04-06 13:01:06 +02:00
sbus
scsi scsi: sd: Fix a race between closing an sd device and sd I/O 2020-04-06 13:01:02 +02:00
security/samsung/icdrv
sensorhub
sensors
sfi
sh
sn
soc
spi
spmi
ssb
staging staging: vt6655: Fix interrupt race condition on device start up. 2020-04-06 13:01:12 +02:00
switch
target
tc
tee
thermal
thunderbolt
trace
tty tty/serial: atmel: Add is_half_duplex helper 2020-04-06 13:43:49 +02:00
uh
uio
usb fix compile errors 2020-04-06 16:54:46 +05:30
uwb
vfio
vhost
video
virt
virtio
vision
vlynq
vme
w1
watchdog
xen
zorro
Kconfig
Makefile