sw/patches/linux: verify the length of block transfer

Without this commit the block read from non-block register could cause the system to hang. The first read byte is interpreted as block length. Which for non-block transfers is not true. For example read of UPTIME_SECS of Monimod register could hang the system: i2cdump -y 0x9 0x12 s 0xd7 Signed-off-by: Adam Wujek <dev_public@wujek.eu>

sw/patches/linux: verify the length of block transfer
Without this commit the block read from non-block register could cause the system to hang. The first read byte is interpreted as block length. Which for non-block transfers is not true. For example read of UPTIME_SECS of Monimod register could hang the system: i2cdump -y 0x9 0x12 s 0xd7 Signed-off-by: Adam Wujek <dev_public@wujek.eu>
0e349038 · Adam Wujek · 7c6f244e · 0e349038
Commit 0e349038 authored Jul 07, 2022 by Adam Wujek
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 0 deletions

0033-i2c-core-check-returned-size-of-emulated-smbus-block.patch ...2c-core-check-returned-size-of-emulated-smbus-block.patch +42 -0

No files found.
--- a/sw/patches/linux/0033-i2c-core-check-returned-size-of-emulated-smbus-block.patch
+++ b/sw/patches/linux/0033-i2c-core-check-returned-size-of-emulated-smbus-block.patch
+From 40e05200593af06633f64ab0effff052eee6f076 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sat, 13 Jun 2020 11:41:09 +0100
+Subject: [PATCH] i2c: core: check returned size of emulated smbus block read
+
+If the i2c bus driver ignores the I2C_M_RECV_LEN flag (as some of
+them do), it is possible for an I2C_SMBUS_BLOCK_DATA read issued
+on some random device to return an arbitrary value in the first
+byte (and nothing else).  When this happens, i2c_smbus_xfer_emulated()
+will happily write past the end of the supplied data buffer, thus
+causing Bad Things to happen.  To prevent this, check the size
+before copying the data block and return an error if it is too large.
+
+Fixes: 209d27c3b167 ("i2c: Emulate SMBus block read over I2C")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+[wsa: use better errno]
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+---
+ drivers/i2c/i2c-core-smbus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
+index 56bb840142e3..f5c9787992e9 100644
+--- a/drivers/i2c/i2c-core-smbus.c
+++ b/drivers/i2c/i2c-core-smbus.c
+@@ -495,6 +495,13 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
+ 			break;
+ 		case I2C_SMBUS_BLOCK_DATA:
+ 		case I2C_SMBUS_BLOCK_PROC_CALL:
+			if (msg[1].buf[0] > I2C_SMBUS_BLOCK_MAX) {
+				dev_err(&adapter->dev,
+					"Invalid block size returned: %d\n",
+					msg[1].buf[0]);
+				status = -EPROTO;
+				goto cleanup;
+			}
+ 			for (i = 0; i < msg[1].buf[0] + 1; i++)
+ 				data->block[i] = msg[1].buf[i];
+ 			break;
+-- 
+2.17.1
+