i2c-mlxbf.c: prevent stack overflow in mlxbf_i2c_smbus_start_transaction
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Asmaa Mnebhi |
Bug Description
SRU Justification:
[Impact]
There could be stack overflow in mlxbf_i2c_
memcpy() is called in a loop while 'operation->length' upper bound is not
checked and 'data_idx' also increments.
More details:
The operation length is verified by the caller functions so it cannot exceed I2C_SMBUS_BLOCK_MAX bytes (32 bytes) for each operation that is a part of the write. Data_desc array is 128 bytes in size. So potentially a request which consists of 4 writes, 32 bytes each can trigger an off-by-one or off-by-two overflow, because the first byte of data_desc is used by addr, effectively decreasing the available data_desc buffer size by one. Functions like mlx_smbus_
[Fix]
* Add a check for "operation->length" and data_idx and return error if reached upper bound.
[Test Case]
* Test the i2c-mlxbf.c driver using IPMB functionality.
[Regression Potential]
This fix returns a negative value to indicate that a transaction has failed. So it will catch more transactions failures.
Changed in linux-bluefield (Ubuntu Focal): | |
assignee: | nobody → Asmaa Mnebhi (asmaam) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu): | |
status: | New → Invalid |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!