[Kernel-packages] [Bug 1934304] Re: i2c-mlxbf.c: prevent stack overflow in mlxbf_i2c_smbus_start_transaction

Mon, 05 Jul 2021 00:25:53 -0700 

** Also affects: linux-bluefield (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: linux-bluefield (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: linux-bluefield (Ubuntu Focal)
       Status: New => In Progress

** Changed in: linux-bluefield (Ubuntu Focal)
     Assignee: (unassigned) => Asmaa Mnebhi (asmaam)

** Changed in: linux-bluefield (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1934304

Title:
  i2c-mlxbf.c: prevent stack overflow in
  mlxbf_i2c_smbus_start_transaction

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  In Progress

Bug description:
  SRU Justification:

  [Impact]

  There could be stack overflow in mlxbf_i2c_smbus_start_transaction().
  memcpy() is called in a loop while 'operation->length' upper bound is not
  checked and 'data_idx' also increments.

  More details:
  The operation length is verified by the caller functions so it cannot exceed 
I2C_SMBUS_BLOCK_MAX bytes (32 bytes) for each operation that is a part of the 
write. Data_desc array is 128 bytes in size. So potentially a request which 
consists of 4 writes, 32 bytes each can trigger an off-by-one or off-by-two 
overflow, because the first byte of data_desc is used by addr, effectively 
decreasing the available data_desc buffer size by one. Functions like 
mlx_smbus_i2c_block_func() that prepare the request also set the length of the 
first write operation to one and store the command id there, so the target 
buffer size again decreases data_desc by one, making it two bytes less than 
expected.

  [Fix]

  * Add a check for "operation->length" and data_idx and return error if
  reached upper bound.

  [Test Case]

  * Test the i2c-mlxbf.c driver using IPMB functionality.

  [Regression Potential]

  This fix returns a negative value to indicate that a transaction has
  failed. So it will catch more transactions failures.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1934304/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to