From: Jean Delvare jdelvare@suse.de
mainline inclusion from mainline-v6.8-rc6 commit c1c9d0f6f7f1dbf29db996bd8e166242843a5f21 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I93ELY CVE: CVE-2024-26593
--------------------------------
According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer.
The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.
Signed-off-by: Jean Delvare jdelvare@suse.de Reported-by: Piotr Zakowski piotr.zakowski@intel.com Closes: https://lore.kernel.org/linux-i2c/20240213120553.7b0ab120@endymion.delvare/ Fixes: 315cd67c9453 ("i2c: i801: Add Block Write-Block Read Process Call support") Reviewed-by: Alexander Sverdlin alexander.sverdlin@gmail.com Signed-off-by: Andi Shyti andi.shyti@kernel.org Signed-off-by: Liao Chen liaochen4@huawei.com --- drivers/i2c/busses/i2c-i801.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c index 679c6c41f64b..1c87bb8428fc 100644 --- a/drivers/i2c/busses/i2c-i801.c +++ b/drivers/i2c/busses/i2c-i801.c @@ -522,12 +522,11 @@ static int i801_block_transaction_by_block(struct i801_priv *priv, int i, len; int status;
- inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */ - /* Use 32-byte buffer to process this transaction */ if (read_write == I2C_SMBUS_WRITE) { len = data->block[0]; outb_p(len, SMBHSTDAT0(priv)); + inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */ for (i = 0; i < len; i++) outb_p(data->block[i+1], SMBBLKDAT(priv)); } @@ -543,6 +542,7 @@ static int i801_block_transaction_by_block(struct i801_priv *priv, return -EPROTO;
data->block[0] = len; + inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */ for (i = 0; i < len; i++) data->block[i + 1] = inb_p(SMBBLKDAT(priv)); }