Public bug reported:
SRU Justification:
[Impact]
There could be stack overflow in mlxbf_i2c_smbus_start_transaction().
memcpy() is called in a loop while 'operation->length' upper bound is not
checked and 'data_idx' also increments.
More details:
The operation length is verified by the caller functions so it cannot exceed
I2C_SMBUS_BLOCK_MAX bytes (32 bytes) for each operation that is a part of the
write. Data_desc array is 128 bytes in size. So potentially a request which
consists of 4 writes, 32 bytes each can trigger an off-by-one or off-by-two
overflow, because the first byte of data_desc is used by addr, effectively
decreasing the available data_desc buffer size by one. Functions like
mlx_smbus_i2c_block_func() that prepare the request also set the length of the
first write operation to one and store the command id there, so the target
buffer size again decreases data_desc by one, making it two bytes less than
expected.
[Fix]
* Add a check for "operation->length" and data_idx and return error if
reached upper bound.
[Test Case]
* Test the i2c-mlxbf.c driver using IPMB functionality.
[Regression Potential]
This fix returns a negative value to indicate that a transaction has
failed. So it will catch more transactions failures.
** Affects: linux-bluefield (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1934304
Title:
i2c-mlxbf.c: prevent stack overflow in
mlxbf_i2c_smbus_start_transaction
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1934304/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
