[RHEL9] i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() (!2416) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Tony Camuso requested to merge tcamuso/centos-stream-9:2188409 into main Apr 24, 2023

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2188409   
CVE: CVE-2023-2194
Upstream status: v6.3
Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=52209500

commit 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 Author: Wei Chen [harperchen1110@gmail.com](mailto:harperchen1110@gmail.com) Date: Tue Mar 14 16:54:21 2023 +0000

i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

The data->block[0] variable comes from user and is a number between
0-255. Without proper check, the variable may be very large to cause
an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.

Fix this bug by checking the value of writelen.

Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform")
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>

Signed-off-by: Tony Camuso <tcamuso@redhat.com>

Edited May 18, 2023 by Tony Camuso

[RHEL9] i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

Merge request reports