git.samba.org / sfrench / cifs-2.6.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fc74e0a)
i2c: validate user data in compat ioctl
authorPavel Skripkin <paskripkin@gmail.com>
Thu, 30 Dec 2021 22:47:50 +0000 (01:47 +0300)
committerWolfram Sang <wsa@kernel.org>
Fri, 31 Dec 2021 13:28:22 +0000 (14:28 +0100)
Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
Userspace should not be able to trigger warnings, so this patch adds
validation checks for user data in compact ioctl to prevent reported
warnings

Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
drivers/i2c/i2c-dev.c patch | blob | history

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index bce0e8bb785208e8380e0dde8b3dd4f45fccb432..cf5d049342ead2ca707475196083b813b0ccb5af 100644 (file)
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -535,6 +535,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
                                   sizeof(rdwr_arg)))
                        return -EFAULT;
 
+               if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
+                       return -EINVAL;
+
                if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
                        return -EINVAL;
 
Unnamed repository; edit this file 'description' to name the repository.