From patchwork Sat May 5 12:57:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 909147 X-Patchwork-Delegate: wolfram@the-dreams.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-i2c-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=umn.edu Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=umn.edu header.i=@umn.edu header.b="ijADh7zf"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40dTS95QC4z9s2t for ; Sat, 5 May 2018 22:57:29 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751755AbeEEM51 (ORCPT ); Sat, 5 May 2018 08:57:27 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:58598 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751775AbeEEM50 (ORCPT ); Sat, 5 May 2018 08:57:26 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 5532CB62 for ; Sat, 5 May 2018 12:57:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKPuV8zEwNxU for ; Sat, 5 May 2018 07:57:25 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 30D4DAFF for ; Sat, 5 May 2018 07:57:25 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id m24-v6so2786303ioh.5 for ; Sat, 05 May 2018 05:57:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=h9TPqYBUMqYK6D817ddzSAkWJxaRC6xG7Fglj7IzYYg=; b=ijADh7zfZGzM8KfqI8KmrtgP26w999AiO+bzJYjDMRVjfRQKMMOraqxnO4rh6gyb1l yABOvzSZAF0a7fEtkuLfP6bTP++dzsnTveMKJhuJJT6/5WbwsXpoc1vyYN8paQGMHS2p zjBcv9VnOnTTEU08glJnLVvGWbinNYtOmAquw0WpDktbRjk21KFaYtIgyFBZPQCS5fwg 3CDQIWD02HbrDYpEOT8vX7AITzs5yTI09CKNzhzvYWrm47AJw8a9rG+4ktufHaFFVFDx jMFVS7Gelpo0f3ExN1kz4yUjQq8HJOi54h/8cWfZhICkTGqXdr3NMcA+lupM8h+E8OrV uEDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=h9TPqYBUMqYK6D817ddzSAkWJxaRC6xG7Fglj7IzYYg=; b=S+H2luXpMO/wLMu53fDQ5cFPJT7v3AsXbzcxAbx/fIEOmgsKUXCsjiMoCCnGOutVAr GA6uIzsqZRW6poePIBaa6M+4geDLOVcmDh5q+LTxvmkiJJduAKqSOsEWhq3vd+3a2vNd Y4eUq3Zxv+AMpimh+jZhSBVYUJFw2ttL5FDiixbPqrO9PzdP2R95dPD8ctl/e8ApUsHL zF1FAg1Gxe0VqYZbb0uOesLo4F6X8bYjxnx5jphURQ5cfE9iVDgQ7ogzAynkW3MkVcEq y0vFmm1bvElQliOSQ8Ipf1Ti2e5EcDemBhnIEdhuA9cjIHb0MrubrYnCIJ/gwzDv/pO2 iHYA== X-Gm-Message-State: ALQs6tDUfN9Yyi1yQpVTE70YHS4Hq/5f9+eLyrAW/64A1PpUwNrin1yI 8Kypr8fcOQwcij4WBpN7rdx33AN1cWBn/VfdIVdUKTa5ATrKLe0kRppj40fjrLEercJJ2dV13QW pFnfqN6TpRNlf3gZ5qviEArDZ X-Received: by 2002:a6b:a008:: with SMTP id j8-v6mr27851223ioe.72.1525525044779; Sat, 05 May 2018 05:57:24 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpuYTxbq4xYyH2imktGTuRksy7+TES6RJqLzVQJJMkDV9l6JQsfNvwk9JI0rRolgjdw7b0YAQ== X-Received: by 2002:a6b:a008:: with SMTP id j8-v6mr27851209ioe.72.1525525044536; Sat, 05 May 2018 05:57:24 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e12-v6sm4850754iog.66.2018.05.05.05.57.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 05:57:23 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Wolfram Sang , linux-i2c@vger.kernel.org (open list:I2C SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 1/2] i2c: core-smbus: fix a potential uninitialization bug Date: Sat, 5 May 2018 07:57:10 -0500 Message-Id: <1525525030-9805-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-i2c-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-i2c@vger.kernel.org In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1, which are used to save a series of messages, as mentioned in the comment. According to the value of the variable 'size', msgbuf0 is initialized to various values. In contrast, msgbuf1 is left uninitialized until the function i2c_transfer() is invoked. However, msgbuf1 is not always initialized on all possible execution paths (implementation) of i2c_transfer(). Thus, it is possible that msgbuf1 may still be uninitialized even after the invocation of the function i2c_transfer(), especially when the return value of ic2_transfer() is not checked properly. In the following execution, the uninitialized msgbuf1 will be used, such as for security checks. Since uninitialized values can be random and arbitrary, this will cause undefined behaviors or even check bypass. For example, it is expected that if the value of 'size' is I2C_SMBUS_BLOCK_PROC_CALL, the value of data->block[0] should not be larger than I2C_SMBUS_BLOCK_MAX. But, at the end of i2c_smbus_xfer_emulated(), the value read from msgbuf1 is assigned to data->block[0], which can potentially lead to invalid block write size, as demonstrated in the error message. This patch initializes the first byte of msgbuf1 with 0 to avoid such undefined behaviors or security issues. Signed-off-by: Wenwen Wang --- drivers/i2c/i2c-core-smbus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c index b5aec33..7d7700f 100644 --- a/drivers/i2c/i2c-core-smbus.c +++ b/drivers/i2c/i2c-core-smbus.c @@ -344,6 +344,7 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, }; msgbuf0[0] = command; + msgbuf1[0] = 0; switch (size) { case I2C_SMBUS_QUICK: msg[0].len = 0;