From patchwork Wed May 2 22:36:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 907770 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-i2c-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=umn.edu Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=umn.edu header.i=@umn.edu header.b="BmwpxQri"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40btRl1vKmz9s08 for ; Thu, 3 May 2018 08:36:35 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751753AbeEBWgd (ORCPT ); Wed, 2 May 2018 18:36:33 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:53752 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751377AbeEBWgc (ORCPT ); Wed, 2 May 2018 18:36:32 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 11DB65C2 for ; Wed, 2 May 2018 22:36:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDs7jjprbpOd for ; Wed, 2 May 2018 17:36:31 -0500 (CDT) Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id D529C574 for ; Wed, 2 May 2018 17:36:31 -0500 (CDT) Received: by mail-it0-f69.google.com with SMTP id c23-v6so7325550itb.6 for ; Wed, 02 May 2018 15:36:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=BmwpxQrijHuxqBNUK5bZFO8CioehL8ULQf7Vjkj+QRMtwZ9L//Br4cedb0f0ZckIBo gJHlcg4rfU69c+SK9paP/pQzUPEtxCcsbz2Xm49Tw3SKD/BxEfVATfkgpNC2YHn7RDoa zki4VwCMNB1GuXcxMInQGz6oDJ+J5NWqK6kTcY3G0WT7tEQCUybW23R5O+si5UP0c/+6 jHnGHomCgNM3dBdE6t4Ec66bkjEF1GBH8ubnivSHlDo5iWyL+uezgBlodhaOFKjPvf1J VQt2D7YStn3kwpNE2nb0OgAMdoTLn+nOQVassUK2xQmt2UoBXyCv24F0juS1bICRSZTI UwsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+NZ/5xV4NXQkMbnFPB2r1KA2ArG6pEy19TpHIUh5q0A=; b=DKo4ToG6xG1H8gg+GeuTB5MLtdJn6gCL4BBCYfBURu3dMlDfjaZM1ASV8RJcaESZgk y/OiZOB4gvvO60wcuCR5CL24XkhPmBgB+TNatnLT+t5RmBGaWJpWYE5G6J1pwM8BY2AF EWdhkErr6U3eGGh2gz3eLbnuUX3S9iXb6gPlxCbc9Y4HQh0BWszslFgjFtTc6RkIZMgI Ehxu8Elp4wqG3oBBkkjgnMfwh8JaGeBrKs5Roo4NtFMwaZuFWYPLr/3ErfDVAlv6I1DF hJomZIdFi7lyXx+kmU+j+O/DW1+dbH9C+3BVgLVikgmqrpFYUwQ6/zLetfpVHEADJ6cb PZyQ== X-Gm-Message-State: ALQs6tBqU3Sva9nXhbYYayOAD9dXK0de/Wa35943px3uBDZ7mkwhMQ33 Nm31Y6XUtjq+EGUoy7ZAfNqqqaj2JYm70d4Wp8k39eToGjjvI178dCEhSrd/Tbb0W4QBCX2mw/Z SK8HaNw1+wj2DTtTECJ8+/ZX4 X-Received: by 2002:a24:72c5:: with SMTP id x188-v6mr23367126itc.118.1525300591566; Wed, 02 May 2018 15:36:31 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqxSovJLaQq96rSMtG3on3YZYxeVZls0hCfVNjCbrNiMz2sJSrBrwjKjdAjGh6cjJSTPfr4qw== X-Received: by 2002:a24:72c5:: with SMTP id x188-v6mr23367115itc.118.1525300591375; Wed, 02 May 2018 15:36:31 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id m89-v6sm6765260iod.1.2018.05.02.15.36.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 May 2018 15:36:30 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] i2c: core-smbus: fix a potential uninitialization bug Date: Wed, 2 May 2018 17:36:21 -0500 Message-Id: <1525300581-27217-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-i2c-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-i2c@vger.kernel.org In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, which are used to save a series of messages, as mentioned in the comment. According to the value of the variable "size", msgbuf0 is initialized to various values. In contrast, msgbuf1 is left uninitialized until the function i2c_transfer() is invoked. However, mgsbuf1 is not always initialized on all possible execution paths (implementation) of i2c_transfer(). Thus, it is possible that mgsbuf1 may still not be uninitialized even after the invocation of the function i2c_transfer(). In the following execution, the uninitialized msgbuf1 will be used, such as for security checks. Since uninitialized values can be random and arbitrary, this will cause undefined behaviors or even check bypass. For example, it is expected that if the value of "size" is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larger than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), the value read from msgbuf1 is assigned to data->block[0], which can potentially lead to invalid block write size, as demonstrated in the error message. This patch simply initializes the buffer msgbuf1 with 0 to avoid undefined behaviors or security issues. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index b5aec33..0fcca75 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -324,7 +324,7 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, * somewhat simpler. */ unsigned char msgbuf0[I2C_SMBUS_BLOCK_MAX+3]; - unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2]; + unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2] = {0}; int num = read_write == I2C_SMBUS_READ ? 2 : 1; int i; u8 partial_pec = 0;