kernel/SOURCES/1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch

From 24bbece0ab10a61da0356b7d56a07b0055ee143d Mon Sep 17 00:00:00 2001
From: Wei Chen <harperchen1110@gmail.com>
Date: Tue, 8 Aug 2023 12:46:05 +0000
Subject: [PATCH 6/7] i2c: xgene-slimpro: Fix out-of-bounds bug in
 xgene_slimpro_i2c_xfer()

commit 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 upstream
Author: Wei Chen <harperchen1110@gmail.com>
Date:   Tue Mar 14 16:54:21 2023 +0000

    i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

    The data->block[0] variable comes from user and is a number between
    0-255. Without proper check, the variable may be very large to cause
    an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.

    Fix this bug by checking the value of writelen.

    Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform")
    Signed-off-by: Wei Chen <harperchen1110@gmail.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>

CVE: CVE-2023-2194
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
---
 drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c
index f694b3c31..985ba3a3a 100644
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
@@ -322,6 +322,9 @@ static int slimpro_i2c_blkwr(struct slimpro_i2c_dev *ctx, u32 chip,
 	u32 msg[3];
 	int rc;
 
+	if (writelen > I2C_SMBUS_BLOCK_MAX)
+		return -EINVAL;
+
 	memcpy(ctx->dma_buffer, data, writelen);
 	paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,
 			       DMA_TO_DEVICE);
-- 
2.31.1
Sync patches with OL 4.18.0-477.21.1.el8_8 2023-08-10 17:04:55 +00:00			`From 24bbece0ab10a61da0356b7d56a07b0055ee143d Mon Sep 17 00:00:00 2001`
			`From: Wei Chen <harperchen1110@gmail.com>`
			`Date: Tue, 8 Aug 2023 12:46:05 +0000`
			`Subject: [PATCH 6/7] i2c: xgene-slimpro: Fix out-of-bounds bug in`
			`xgene_slimpro_i2c_xfer()`

			`commit 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 upstream`
			`Author: Wei Chen <harperchen1110@gmail.com>`
			`Date: Tue Mar 14 16:54:21 2023 +0000`

			`i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()`

			`The data->block[0] variable comes from user and is a number between`
			`0-255. Without proper check, the variable may be very large to cause`
			`an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.`

			`Fix this bug by checking the value of writelen.`

			`Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform")`
			`Signed-off-by: Wei Chen <harperchen1110@gmail.com>`
			`Cc: stable@vger.kernel.org`
			`Reviewed-by: Andi Shyti <andi.shyti@kernel.org>`
			`Signed-off-by: Wolfram Sang <wsa@kernel.org>`

			`CVE: CVE-2023-2194`
			`Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>`
			`Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>`
			`---`
			`drivers/i2c/busses/i2c-xgene-slimpro.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c`
			`index f694b3c31..985ba3a3a 100644`
			`--- a/drivers/i2c/busses/i2c-xgene-slimpro.c`
			`+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c`
			`@@ -322,6 +322,9 @@ static int slimpro_i2c_blkwr(struct slimpro_i2c_dev *ctx, u32 chip,`
			`u32 msg[3];`
			`int rc;`

			`+ if (writelen > I2C_SMBUS_BLOCK_MAX)`
			`+ return -EINVAL;`
			`+`
			`memcpy(ctx->dma_buffer, data, writelen);`
			`paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,`
			`DMA_TO_DEVICE);`
			`--`
			`2.31.1`