i2c: s3c24xx: check the size of the SMBUS message before using it

[PATCH] i2c: s3c24xx: check the size of the SMBUS message before using it

Posted by Greg Kroah-Hartman 1 month, 3 weeks ago

The first byte of an i2c SMBUS message is the size, and it should be
verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX
before processing it.

This is the same logic that was added in commit a6e04f05ce0b ("i2c:
tegra: check msg length in SMBUS block read") to the i2c tegra driver.

Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Alim Akhtar <alim.akhtar@samsung.com>
Cc: Andi Shyti <andi.shyti@kernel.org>
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/i2c/busses/i2c-s3c2410.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c
index 8138f5ef40f0..15e14a6fe6dc 100644
--- a/drivers/i2c/busses/i2c-s3c2410.c
+++ b/drivers/i2c/busses/i2c-s3c2410.c
@@ -503,8 +503,13 @@ static void i2c_s3c_irq_nextbyte(struct s3c24xx_i2c *i2c, unsigned long iicstat)
 		i2c->msg->buf[i2c->msg_ptr++] = byte;
 
 		/* Add actual length to read for smbus block read */
-		if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1)
+		if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1) {
+			if (byte == 0 || byte > I2C_SMBUS_BLOCK_MAX) {
+				s3c24xx_i2c_stop(i2c, -EPROTO);
+				break;
+			}
 			i2c->msg->len += byte;
+		}
  prepare_read:
 		if (is_msglast(i2c)) {
 			/* last byte of buffer */
-- 
2.53.0

Re: [PATCH] i2c: s3c24xx: check the size of the SMBUS message before using it

Posted by Andi Shyti 3 weeks, 1 day ago

Hi Greg,

On Mon, Feb 23, 2026 at 06:05:15PM +0100, Greg Kroah-Hartman wrote:
> The first byte of an i2c SMBUS message is the size, and it should be
> verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX
> before processing it.
> 
> This is the same logic that was added in commit a6e04f05ce0b ("i2c:
> tegra: check msg length in SMBUS block read") to the i2c tegra driver.
> 
> Cc: Krzysztof Kozlowski <krzk@kernel.org>
> Cc: Alim Akhtar <alim.akhtar@samsung.com>
> Cc: Andi Shyti <andi.shyti@kernel.org>
> Cc: stable <stable@kernel.org>
> Assisted-by: gkh_clanker_2000
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

merged to i2c/i2c-host.

Thanks,
Andi

Re: [PATCH] i2c: s3c24xx: check the size of the SMBUS message before using it

Posted by Greg Kroah-Hartman 3 weeks ago

On Wed, Mar 25, 2026 at 06:17:58PM +0100, Andi Shyti wrote:
> Hi Greg,
> 
> On Mon, Feb 23, 2026 at 06:05:15PM +0100, Greg Kroah-Hartman wrote:
> > The first byte of an i2c SMBUS message is the size, and it should be
> > verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX
> > before processing it.
> > 
> > This is the same logic that was added in commit a6e04f05ce0b ("i2c:
> > tegra: check msg length in SMBUS block read") to the i2c tegra driver.
> > 
> > Cc: Krzysztof Kozlowski <krzk@kernel.org>
> > Cc: Alim Akhtar <alim.akhtar@samsung.com>
> > Cc: Andi Shyti <andi.shyti@kernel.org>
> > Cc: stable <stable@kernel.org>
> > Assisted-by: gkh_clanker_2000
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> merged to i2c/i2c-host.

Thanks!