[PATCH openEuler-5.10 31/47] i2c: validate user data in compat ioctl

28 Jan 2022

From: Pavel Skripkin paskripkin@gmail.com
stable inclusion
from stable-v5.10.90
commit 8d31cbab4c295d7010ebb729e9d02d0e9cece18f
bugzilla: 186168 https://gitee.com/openeuler/kernel/issues/I4SHY1
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit bb436283e25aaf1533ce061605d23a9564447bdf ]
Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
Userspace should not be able to trigger warnings, so this patch adds
validation checks for user data in compact ioctl to prevent reported
warnings
Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
Signed-off-by: Pavel Skripkin paskripkin@gmail.com
Signed-off-by: Wolfram Sang wsa@kernel.org
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Chen Jun chenjun102@huawei.com
Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com
---
 drivers/i2c/i2c-dev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index f358120d59b3..dafad891998e 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -536,6 +536,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
    			   sizeof(rdwr_arg)))
    		return -EFAULT;
+		if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
+			return -EINVAL;
+
    	if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
    		return -EINVAL;
-- 
2.20.1

    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-5.10 31/47] i2c: validate user data in compat ioctl