Re: [PATCH 2.6] I2C: Prevent buffer overflow on SMBus block read in i2c-viapro

From: Greg KH (greg_at_kroah.com)
Date: 02/01/05

  • Next message: Greg KH: "Re: serial8250_init and platform_device" 
    Date:	Tue, 1 Feb 2005 00:22:41 -0800
To: Jean Delvare <khali@linux-fr.org>

    On Wed, Jan 26, 2005 at 10:17:27AM +0100, Jean Delvare wrote:
    >
    > Hi Greg, all,
    >
    > > Hm, all distros leave the i2c-dev /dev nodes writable only by root, so
    > > this isn't that "big" of an issue.
    >
    > Agreed. Non-root write access to these devices would probably be a
    > security issue per se anyway, buffer overflow or not. However, I can't
    > tell if e.g. some embedded systems wouldn't set a particular group on
    > these device files and allow write access to this group, so as to allow
    > some daemon to write data to an EEPROM or something similar. This is why
    > I thought I better warn and push the patch upstream. I wasn't exactly
    > requesting 2.6.10.1 to be released ;)
    >
    > On second thought, I doubt that embedded designs would rely on a VIA Pro
    > chip anyway. But you never know.
    >
    > > > @@ -268,6 +268,8 @@
    > > > break;
    > > > case VT596_BLOCK_DATA:
    > > > data->block[0] = inb_p(SMBHSTDAT0);
    > > > + if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
    > > > + data->block[0] = I2C_SMBUS_BLOCK_MAX;
    > >
    > > But data->block[0] just came from the hardware, right? Not from a user.
    >
    > True, except that with a write access to the device file and depending on
    > the client chip, the user might have just programmed the chip for it to
    > answer with this specific value. See right below.
    >
    > > Now if we have broken hardware, then we might have a problem here, but
    > > otherwise I don't see it as a security issue right now.
    >
    > It doesn't take broken hardware.
    >
    > (Warning: I am going technical at this point, people not interested in
    > the gory details of the I2C and SMBus protocols should better stop here
    > ;))

    <snip>

    Thanks for the good description. I've applied your patch to my trees
    and will push it upward soon.

    thanks,

    greg k-h
    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: Greg KH: "Re: serial8250_init and platform_device"

    Relevant Pages

    • Re: [tpmdd-devel] Re: [PATCH 1/1] driver: Tpm hardware enablement --updated version
      ... On Thu, 2004-12-16 at 16:48, Greg KH wrote: ... It is there in the middle of the paragraph. ... So the problem we have is that the chip does not have a unique id and we ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • [OT]: From the Dept. of Stolen Identies and Other Security Nightmares
      ... e-Passports Using Contactless Chips Show Security Flaws ... electronic-passport interoperability exposed technology flaws, ... of the International Civil Aviation Organization's e-passport spec. ... chip that can be read only within a distance of a few inches. ...
      (comp.os.vms)
    • Re: [stable] Linux 2.6.25.10
      ... On 15 Jul 2008 at 15:39, Greg KH wrote: ... declared policy in Documentation/SecurityBugs yet ... that, that's not full disclosure. ... here's a bugfix that might be security related ...
      (Linux-Kernel)
    • Security in Online Poker--Russ G
      ... Greg is the CEO of a big ... Now Greg was telling me how good the security was on Ultimate Bet. ... The colluders don't worry about the price of gas. ...
      (rec.gambling.poker)
    • Re: AES Bitstream Encryption in Virtex-4. How safe it is?
      ... understand what security is all about ("there is no security in ... the price for some flash MCU could be ... based smartcard chip. ... This key has _never_ been read out, but the protection has been broken ...
      (comp.arch.fpga)
    Loading