[PATCH] i2c: amd-asf: Validate firmware-reported length

Next message: Shung-Hsi Yu: "Re: [PATCH bpf-next] selftests/bpf: add helper retval linked scalar pruning selftest"
Previous message: Vlastimil Babka (SUSE): "Re: [PATCH v2 15/16] mm/slab: remove __GFP_NO_OBJ_EXT usage from alloc_slab_obj_exts()"
In reply to: Paritosh Potukuchi: "[PATCH] i2c: amd-asf: Validate firmware-reported length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paritosh Potukuchi

Date: Fri Jun 12 2026 - 06:19:32 EST

The firmware may sometimes return a length greater than the
allocated buffer size, which can lead to out-of-bounds access
and a kernel panic.

Currently, the driver does not validate the length read from
firmware.

Add a check to ensure the firmware-reported length stays within
the bounds of the data buffer.

Fix indentation issues reported by checkpatch.

Signed-off-by: Paritosh Potukuchi <paritosh.potukuchi@xxxxxxx>
---
drivers/i2c/busses/i2c-amd-asf-plat.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-amd-asf-plat.c b/drivers/i2c/busses/i2c-amd-asf-plat.c
index ca45f0f23321..e1699da838c2 100644
--- a/drivers/i2c/busses/i2c-amd-asf-plat.c
+++ b/drivers/i2c/busses/i2c-amd-asf-plat.c
@@ -90,6 +90,9 @@ static void amd_asf_process_target(struct work_struct *work)
outb_p(reg, ASFDATABNKSEL);
cmd = inb_p(ASFINDEX);
len = inb_p(ASFDATARWPTR);
+ if (len > ASF_BLOCK_MAX_BYTES)
+ return;
+
for (idx = 0; idx < len; idx++)
data[idx] = inb_p(ASFINDEX);

--
2.43.0