Re: [v2 1/1] i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()

From: Uwe Kleine-König
Date: Mon Apr 30 2018 - 03:13:21 EST

Next message: Simon Horman: "Re: [PATCH 0/3] fbdev/drm: sh_mobile: remove unused MERAM support"
Previous message: Ludovic Barre: "[PATCH 2/2] ARM: dts: stm32: add flash nor support on stm32mp157c eval board"
In reply to: Wolfram Sang: "Re: [v2 1/1] i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 27, 2018 at 02:06:58PM +0200, Wolfram Sang wrote:
> On Thu, Apr 19, 2018 at 03:29:22PM +0300, Alexander Popov wrote:
> > i2cdev_ioctl_rdwr() allocates i2c_msg.buf using memdup_user(), which
> > returns ZERO_SIZE_PTR if i2c_msg.len is zero.
> >
> > Currently i2cdev_ioctl_rdwr() always dereferences the buf pointer in case
> > of I2C_M_RD | I2C_M_RECV_LEN transfer. That causes a kernel oops in
> > case of zero len.
> >
> > Let's check the len against zero before dereferencing buf pointer.
> >
> > This issue was triggered by syzkaller.
> >
> > Signed-off-by: Alexander Popov <alex.popov@xxxxxxxxx>
>
> Applied to for-current with the arithmetic expression changed to '< 1'
> to keep in sync with the previous one. Will push out soon, so you can
> double check if you are interested.

Thanks, I like it. An added bonus is also that you don't need to think
about the type of msgs[i].len and what happens if it is negative.

Best regards
Uwe

--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | http://www.pengutronix.de/ |

Next message: Simon Horman: "Re: [PATCH 0/3] fbdev/drm: sh_mobile: remove unused MERAM support"
Previous message: Ludovic Barre: "[PATCH 2/2] ARM: dts: stm32: add flash nor support on stm32mp157c eval board"
In reply to: Wolfram Sang: "Re: [v2 1/1] i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]