]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
projects / thirdparty / kernel / stable-queue.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8994ecf)
Fixes for 4.19
authorSasha Levin <sashal@kernel.org>
Mon, 3 Jan 2022 02:32:49 +0000 (21:32 -0500)
committerSasha Levin <sashal@kernel.org>
Mon, 3 Jan 2022 02:32:49 +0000 (21:32 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-4.19/i2c-validate-user-data-in-compat-ioctl.patch [new file with mode: 0644] patch | blob
queue-4.19/series patch | blob | blame | history

diff --git a/queue-4.19/i2c-validate-user-data-in-compat-ioctl.patch b/queue-4.19/i2c-validate-user-data-in-compat-ioctl.patch
new file mode 100644 (file)
index 0000000..1748283
--- /dev/null
+++ b/queue-4.19/i2c-validate-user-data-in-compat-ioctl.patch
@@ -0,0 +1,40 @@
+From 1a843639230504609a6d0471c1e37c187be918c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Dec 2021 01:47:50 +0300
+Subject: i2c: validate user data in compat ioctl
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit bb436283e25aaf1533ce061605d23a9564447bdf ]
+
+Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
+Userspace should not be able to trigger warnings, so this patch adds
+validation checks for user data in compact ioctl to prevent reported
+warnings
+
+Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
+Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index 57aece8098416..140dd074fdee5 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -544,6 +544,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
+                                  sizeof(rdwr_arg)))
+                       return -EFAULT;
++              if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
++                      return -EINVAL;
++
+               if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
+                       return -EINVAL;
+-- 
+2.34.1
+
diff --git a/queue-4.19/series b/queue-4.19/series
index 8f2e36544d67079d9fe33ad40f8f9aca08d69bd4..79acf719af02a4131b8988e1fc3276f65522ae8f 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -14,3 +14,4 @@ nfc-st21nfca-fix-memory-leak-in-device-probe-and-rem.patch
 net-mlx5e-fix-wrong-features-assignment-in-case-of-e.patch
 selftests-net-udpgso_bench_tx-fix-dst-ip-argument.patch
 fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch
+i2c-validate-user-data-in-compat-ioctl.patch
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git