LM
/
u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Revert "i2c: fix stack buffer overflow vulnerability in i2c md command" 

This reverts commit 8f8c04bf1e.

The commit is largely wrong and breaks most of i2c command functionality.
The problem described in the aforementioned commit commit message is valid,
however the commit itself does many more changes unrelated to fixing that
one problem it describes. Those extra changes, namely the handling of i2c
device address length as unsigned instead of signed integer, breaks the
expectation that address length may be negative value. The negative value
is used by DM to indicate that address length of device does not change.

The actual bug documented in commit 8f8c04bf1e
can be fixed by extra sanitization in separate patch.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Heiko Schocher <hs@denx.de>
Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Marek Vasut 2022-08-26 23:15:55 +02:00 committed by Tom Rini
parent 6eea9408ac
commit 1aa9a04ff6
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
cmd/i2c.c
View File

@ -200,10 +200,10 @@ void i2c_init_board(void)
* *
* Returns the address length. * Returns the address length.
*/ */
static uint get_alen(char *arg, uint default_len) static uint get_alen(char *arg, int default_len)
{ {
uint j; int j;
uint alen; int alen;
alen = default_len; alen = default_len;
for (j = 0; j < 8; j++) { for (j = 0; j < 8; j++) {
@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc,
{ {
uint chip; uint chip;
uint devaddr, length; uint devaddr, length;
uint alen; int alen;
u_char *memaddr; u_char *memaddr;
int ret; int ret;
#if CONFIG_IS_ENABLED(DM_I2C) #if CONFIG_IS_ENABLED(DM_I2C)
@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc,
{ {
uint chip; uint chip;
uint devaddr, length; uint devaddr, length;
uint alen; int alen;
u_char *memaddr; u_char *memaddr;
int ret; int ret;
#if CONFIG_IS_ENABLED(DM_I2C) #if CONFIG_IS_ENABLED(DM_I2C)
@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc,
{ {
uint chip; uint chip;
uint addr, length; uint addr, length;
uint alen; int alen;
uint j, nbytes, linebytes; int j, nbytes, linebytes;
int ret; int ret;
#if CONFIG_IS_ENABLED(DM_I2C) #if CONFIG_IS_ENABLED(DM_I2C)
struct udevice *dev; struct udevice *dev;
@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc,
{ {
uint chip; uint chip;
ulong addr; ulong addr;
uint alen; int alen;
uchar byte; uchar byte;
uint count; int count;
int ret; int ret;
#if CONFIG_IS_ENABLED(DM_I2C) #if CONFIG_IS_ENABLED(DM_I2C)
struct udevice *dev; struct udevice *dev;
@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc,
{ {
uint chip; uint chip;
ulong addr; ulong addr;
uint alen; int alen;
uint count; int count;
uchar byte; uchar byte;
ulong crc; ulong crc;
ulong err; ulong err;
@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc,
char *const argv[]) char *const argv[])
{ {
uint chip; uint chip;
uint alen; int alen;
uint addr; uint addr;
uint length; uint length;
u_char bytes[16]; u_char bytes[16];