]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
projects / thirdparty / kernel / stable-queue.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6052644)
Fixes for 5.4
authorSasha Levin <sashal@kernel.org>
Mon, 3 Jan 2022 02:32:48 +0000 (21:32 -0500)
committerSasha Levin <sashal@kernel.org>
Mon, 3 Jan 2022 02:32:48 +0000 (21:32 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-5.4/i2c-validate-user-data-in-compat-ioctl.patch [new file with mode: 0644] patch | blob
queue-5.4/series patch | blob | blame | history

diff --git a/queue-5.4/i2c-validate-user-data-in-compat-ioctl.patch b/queue-5.4/i2c-validate-user-data-in-compat-ioctl.patch
new file mode 100644 (file)
index 0000000..28af716
--- /dev/null
+++ b/queue-5.4/i2c-validate-user-data-in-compat-ioctl.patch
@@ -0,0 +1,40 @@
+From 2bc44df0c237da85540fafae2c1cd328bce65946 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Dec 2021 01:47:50 +0300
+Subject: i2c: validate user data in compat ioctl
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit bb436283e25aaf1533ce061605d23a9564447bdf ]
+
+Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
+Userspace should not be able to trigger warnings, so this patch adds
+validation checks for user data in compact ioctl to prevent reported
+warnings
+
+Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
+Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index c9ae1895cd48a..7da6ca26a5f56 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -536,6 +536,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
+                                  sizeof(rdwr_arg)))
+                       return -EFAULT;
++              if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
++                      return -EINVAL;
++
+               if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
+                       return -EINVAL;
+-- 
+2.34.1
+
diff --git a/queue-5.4/series b/queue-5.4/series
index 188193d4add82990e70b5ce5ea982c62e7b0d987..92e1ad95b0eecd6c73c3106f4931edd9fc097364 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -21,3 +21,4 @@ net-mlx5e-fix-wrong-features-assignment-in-case-of-e.patch
 selftests-net-udpgso_bench_tx-fix-dst-ip-argument.patch
 net-ncsi-check-for-error-return-from-call-to-nla_put.patch
 fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch
+i2c-validate-user-data-in-compat-ioctl.patch
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git