[v3] i2c: validate user data in compat ioctl

Message ID	20211230224750.15380-1-paskripkin@gmail.com
State	Accepted
Commit	bb436283e25aaf1533ce061605d23a9564447bdf
Headers	show Return-Path: <linux-i2c-owner@kernel.org> From: Pavel Skripkin <paskripkin@gmail.com> To: wsa@kernel.org, viro@zeniv.linux.org.uk Cc: linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org, Pavel Skripkin <paskripkin@gmail.com>, syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com Subject: [PATCH v3] i2c: validate user data in compat ioctl Date: Fri, 31 Dec 2021 01:47:50 +0300 Message-Id: <20211230224750.15380-1-paskripkin@gmail.com> In-Reply-To: <Yc4wkyr7QTs8ao5x@kunai> References: <Yc4wkyr7QTs8ao5x@kunai> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[v3] i2c: validate user data in compat ioctl \| expand [v3] i2c: validate user data in compat ioctl

Message ID

20211230224750.15380-1-paskripkin@gmail.com

State

Accepted

Commit

bb436283e25aaf1533ce061605d23a9564447bdf

Headers

From: Pavel Skripkin <paskripkin@gmail.com>
To: wsa@kernel.org, viro@zeniv.linux.org.uk
Cc: linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
        Pavel Skripkin <paskripkin@gmail.com>,
        syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Subject: [PATCH v3] i2c: validate user data in compat ioctl
Date: Fri, 31 Dec 2021 01:47:50 +0300
Message-Id: <20211230224750.15380-1-paskripkin@gmail.com>
In-Reply-To: <Yc4wkyr7QTs8ao5x@kunai>
References: <Yc4wkyr7QTs8ao5x@kunai>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[v3] i2c: validate user data in compat ioctl | expand

Commit Message

Pavel Skripkin Dec. 30, 2021, 10:47 p.m. UTC

Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
Userspace should not be able to trigger warnings, so this patch adds
validation checks for user data in compact ioctl to prevent reported
warnings

Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---

Changes in v3
	- Add rdwr_arg.nmsgs == 0 check as Wolfram suggested

Changes in v2:
	- Fixed typos in commit message

---
 drivers/i2c/i2c-dev.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Wolfram Sang Dec. 31, 2021, 1:31 p.m. UTC | #1

On Fri, Dec 31, 2021 at 01:47:50AM +0300, Pavel Skripkin wrote:
> Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
> Userspace should not be able to trigger warnings, so this patch adds
> validation checks for user data in compact ioctl to prevent reported
> warnings
> 
> Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
> Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>

Applied to for-current, thanks!

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index bce0e8bb7852..cf5d049342ea 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -535,6 +535,9 @@  static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
 				   sizeof(rdwr_arg)))
 			return -EFAULT;
 
+		if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
+			return -EINVAL;
+
 		if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
 			return -EINVAL;

[v3] i2c: validate user data in compat ioctl

Commit Message

Comments

Patch