The data->block[0] variable comes from user. Without proper check,
the variable may be very large to cause an out-of-bounds bug.

Fix this bug by checking the value of data->block[0] first.

Similar commit:
1. commit 39244cc7548 ("i2c: ismt: Fix an out-of-bounds bug in
ismt_access()")
2. commit 92fbb6d1296 ("i2c: xgene-slimpro: Fix out-of-bounds
bug in xgene_slimpro_i2c_xfer()")

Signed-off-by: Alex Guo <alexguo1023@gmail.com>
---
 drivers/i2c/busses/i2c-i801.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
index a7f89946dad4..7503418be39a 100644
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -527,6 +527,8 @@ static int i801_block_transaction_by_block(struct i801_priv *priv,
 
 	if (read_write == I2C_SMBUS_WRITE) {
 		len = data->block[0];
+		if (len < 1 || len > I2C_SMBUS_BLOCK_MAX)
+			return -EINVAL;
 		iowrite8(len, SMBHSTDAT0(priv));
 		ioread8(SMBHSTCNT(priv));	/* reset the data buffer index */
 		iowrite8_rep(SMBBLKDAT(priv), data->block + 1, len);
-- 
2.34.1

Hi Alex,

On Sun, 15 Jun 2025 19:28:57 -0400, Alex Guo wrote:
> The data->block[0] variable comes from user. Without proper check,
> the variable may be very large to cause an out-of-bounds bug.
> 
> Fix this bug by checking the value of data->block[0] first.

This check is already present in i801_smbus_block_transaction(), which
is the only place where i801_block_transaction_by_block() is being
called. So the out-of-bounds bug you describe does not exist.

-- 
Jean Delvare
SUSE L3 Support