u-boot.git/cmd/i2c.c, branch v2023.01 Unnamed repository; edit this file 'description' to name the repository. i2c: fix stack buffer overflow vulnerability in i2c md command 2022-08-31T16:21:47+00:00 Marek Vasut marex@denx.de 2022-08-26T21:15:56+00:00 e4573fef7701afc2df22924ce0a445b923475afc This reinstates fix from commit 8f8c04bf1ebb ("i2c: fix stack buffer overflow vulnerability in i2c md command") without the changes unrelated to the actual fix. Avoid the underflow by setting only nbytes and linebytes as unsigned integers. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Heiko Schocher <hs@denx.de> Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr> Cc: Simon Glass <sjg@chromium.org> Cc: Tim Harvey <tharvey@gateworks.com> Acked-by: Tim Harvey <tharvey@gateworks.com> 
This reinstates fix from commit 8f8c04bf1ebb ("i2c: fix stack buffer
overflow vulnerability in i2c md command") without the changes unrelated
to the actual fix. Avoid the underflow by setting only nbytes and
linebytes as unsigned integers.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Heiko Schocher <hs@denx.de>
Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tim Harvey <tharvey@gateworks.com>
Acked-by: Tim Harvey <tharvey@gateworks.com>
Revert "i2c: fix stack buffer overflow vulnerability in i2c md command" 2022-08-31T16:21:31+00:00 Marek Vasut marex@denx.de 2022-08-26T21:15:55+00:00 1aa9a04ff687b8d55b0fb68ae2a688c8705665cc This reverts commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409. The commit is largely wrong and breaks most of i2c command functionality. The problem described in the aforementioned commit commit message is valid, however the commit itself does many more changes unrelated to fixing that one problem it describes. Those extra changes, namely the handling of i2c device address length as unsigned instead of signed integer, breaks the expectation that address length may be negative value. The negative value is used by DM to indicate that address length of device does not change. The actual bug documented in commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 can be fixed by extra sanitization in separate patch. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Heiko Schocher <hs@denx.de> Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr> Cc: Simon Glass <sjg@chromium.org> Cc: Tim Harvey <tharvey@gateworks.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
This reverts commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409.

The commit is largely wrong and breaks most of i2c command functionality.
The problem described in the aforementioned commit commit message is valid,
however the commit itself does many more changes unrelated to fixing that
one problem it describes. Those extra changes, namely the handling of i2c
device address length as unsigned instead of signed integer, breaks the
expectation that address length may be negative value. The negative value
is used by DM to indicate that address length of device does not change.

The actual bug documented in commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409
can be fixed by extra sanitization in separate patch.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Heiko Schocher <hs@denx.de>
Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
i2c: fix stack buffer overflow vulnerability in i2c md command 2022-06-28T19:51:56+00:00 Nicolas Iooss nicolas.iooss+uboot@ledger.fr 2022-06-10T14:50:25+00:00 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 When running "i2c md 0 0 80000100", the function do_i2c_md parses the length into an unsigned int variable named length. The value is then moved to a signed variable: int nbytes = length; #define DISP_LINE_LEN 16 int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes; ret = dm_i2c_read(dev, addr, linebuf, linebytes); On systems where integers are 32 bits wide, 0x80000100 is a negative value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned 0x80000100 instead of 16. The consequence is that the function which reads from the i2c device (dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill but with a size parameter which is too large. In some cases, this could trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c (used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to a 16-bit integer. This is because function i2c_transfer expects an unsigned short length. In such a case, an attacker who can control the response of an i2c device can overwrite the return address of a function and execute arbitrary code through Return-Oriented Programming. Fix this issue by using unsigned integers types in do_i2c_md. While at it, make also alen unsigned, as signed sizes can cause vulnerabilities when people forgot to check that they can be negative. Signed-off-by: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr> Reviewed-by: Heiko Schocher <hs@denx.de> 
When running "i2c md 0 0 80000100", the function do_i2c_md parses the
length into an unsigned int variable named length. The value is then
moved to a signed variable:

    int nbytes = length;
    #define DISP_LINE_LEN 16
    int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes;
    ret = dm_i2c_read(dev, addr, linebuf, linebytes);

On systems where integers are 32 bits wide, 0x80000100 is a negative
value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned
0x80000100 instead of 16.

The consequence is that the function which reads from the i2c device
(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill
but with a size parameter which is too large. In some cases, this could
trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c
(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to
a 16-bit integer. This is because function i2c_transfer expects an
unsigned short length. In such a case, an attacker who can control the
response of an i2c device can overwrite the return address of a function
and execute arbitrary code through Return-Oriented Programming.

Fix this issue by using unsigned integers types in do_i2c_md. While at
it, make also alen unsigned, as signed sizes can cause vulnerabilities
when people forgot to check that they can be negative.

Signed-off-by: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Reviewed-by: Heiko Schocher <hs@denx.de>
cmd/i2c.c: Remove unused legacy code 2021-08-30T18:10:07+00:00 Tom Rini trini@konsulko.com 2021-08-19T03:12:31+00:00 1edef7693b576f7ab208a697bb01f033b68041fb There are no longer any cases where we are neither SYS_I2C_LEGACY nor DM_I2C. Remove these code paths. Signed-off-by: Tom Rini <trini@konsulko.com> 
There are no longer any cases where we are neither SYS_I2C_LEGACY nor
DM_I2C.  Remove these code paths.

Signed-off-by: Tom Rini <trini@konsulko.com>
Convert CONFIG_SYS_I2C_LEGACY to Kconfig and add CONFIG_[ST]PL_SYS_I2C_LEGACY 2021-08-30T18:10:07+00:00 Tom Rini trini@konsulko.com 2021-08-19T03:12:24+00:00 55dabcc8f24598e2777f663de09ab55fbe1269da First, we convert CONFIG_SYS_I2C_LEGACY to Kconfig. Next, as you cannot have SYS_I2C_LEGACY and DM_I2C at the same time, introduce CONFIG_SPL_SYS_I2C_LEGACY so that we can enable the legacy option only in SPL. Finally, for some PowerPC cases we also need CONFIG_TPL_SYS_I2C_LEGACY support. Convert all of the existing users to one or more symbols. Signed-off-by: Tom Rini <trini@konsulko.com> 
First, we convert CONFIG_SYS_I2C_LEGACY to Kconfig.  Next, as you cannot
have SYS_I2C_LEGACY and DM_I2C at the same time, introduce
CONFIG_SPL_SYS_I2C_LEGACY so that we can enable the legacy option only
in SPL.  Finally, for some PowerPC cases we also need
CONFIG_TPL_SYS_I2C_LEGACY support.  Convert all of the existing users to
one or more symbols.

Signed-off-by: Tom Rini <trini@konsulko.com>
Convert CONFIG_SYS_I2C_EEPROM_ADDR et al to Kconfig 2021-08-30T18:10:06+00:00 Tom Rini trini@konsulko.com 2021-08-17T21:59:45+00:00 88cd7d0ea961ca11b1eeaaea8b7811573b103abb - Rename usages of CONFIG_SYS_DEF_EEPROM_ADDR to CONFIG_SYS_I2C_EEPROM_ADDR based on current usage. - Convert CONFIG_SYS_I2C_EEPROM_ADDR, CONFIG_SYS_I2C_EEPROM_ADDR_LEN, CONFIG_SYS_I2C_EEPROM_BUS, CONFIG_CONFIG_SYS_EEPROM_SIZE CONFIG_SYS_EEPROM_PAGE_WRITE_BITS and CONFIG_SYS_EEPROM_PAGE_WRITE_DELAY_MS to Kconfig. We move these symbols around a bit and add appropriate dependencies to them. In some cases, we now add a correct default value as well. Signed-off-by: Tom Rini <trini@konsulko.com> 
- Rename usages of CONFIG_SYS_DEF_EEPROM_ADDR to CONFIG_SYS_I2C_EEPROM_ADDR
  based on current usage.
- Convert CONFIG_SYS_I2C_EEPROM_ADDR, CONFIG_SYS_I2C_EEPROM_ADDR_LEN,
  CONFIG_SYS_I2C_EEPROM_BUS, CONFIG_CONFIG_SYS_EEPROM_SIZE
  CONFIG_SYS_EEPROM_PAGE_WRITE_BITS and CONFIG_SYS_EEPROM_PAGE_WRITE_DELAY_MS
  to Kconfig.  We move these symbols around a bit and add appropriate
  dependencies to them.  In some cases, we now add a correct default value
  as well.

Signed-off-by: Tom Rini <trini@konsulko.com>
global: Convert simple_strtoul() with decimal to dectoul() 2021-08-02T17:32:14+00:00 Simon Glass sjg@chromium.org 2021-07-24T15:03:30+00:00 0b1284eb52578e15ec611adc5fee1a9ae68dadea It is a pain to have to specify the value 10 in each call. Add a new dectoul() function and update the code to use it. Signed-off-by: Simon Glass <sjg@chromium.org> 
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.

Signed-off-by: Simon Glass <sjg@chromium.org>
global: Convert simple_strtoul() with hex to hextoul() 2021-08-02T17:32:14+00:00 Simon Glass sjg@chromium.org 2021-07-24T15:03:29+00:00 7e5f460ec457fe310156e399198a41eb0ce1e98c It is a pain to have to specify the value 16 in each call. Add a new hextoul() function and update the code to use it. Add a proper comment to simple_strtoul() while we are here. Signed-off-by: Simon Glass <sjg@chromium.org> 
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.

Add a proper comment to simple_strtoul() while we are here.

Signed-off-by: Simon Glass <sjg@chromium.org>
i2c: Rename CONFIG_SYS_I2C to CONFIG_SYS_I2C_LEGACY 2021-07-28T18:29:37+00:00 Simon Glass sjg@chromium.org 2021-07-11T03:14:32+00:00 69d9eda4da13ecabb8002fce0dded4bba3bff9f9 It is quite confusing that CONFIG_SYS_I2C selects the legacy I2C and CONFIG_DM_I2C selects the current I2C. The deadline to migrate I2C is less than a year away. Also we want to have a CONFIG_I2C for U-Boot proper just like we have CONFIG_SPL_I2C for SPL, so we can simplify the Makefile rules. Rename this symbol so it is clear it is going away. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heiko Schocher <hs@denx.de> 
It is quite confusing that CONFIG_SYS_I2C selects the legacy I2C and
CONFIG_DM_I2C selects the current I2C. The deadline to migrate I2C is less
than a year away.

Also we want to have a CONFIG_I2C for U-Boot proper just like we have
CONFIG_SPL_I2C for SPL, so we can simplify the Makefile rules.

Rename this symbol so it is clear it is going away.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
dm: i2c: use CONFIG_IS_ENABLED macro for DM_I2C/DM_I2C_GPIO 2021-02-21T05:08:00+00:00 Igor Opaniuk igor.opaniuk@foundries.io 2021-02-09T11:52:45+00:00 2147a16983d17bcb0438607aa7760494afc27014 Use CONFIG_IS_ENABLED() macro, which provides more convenient way to check $(SPL)DM_I2C/$(SPL)DM_I2C_GPIO configs for both SPL and U-Boot proper. CONFIG_IS_ENABLED(DM_I2C) expands to: - 1 if CONFIG_SPL_BUILD is undefined and CONFIG_DM_I2C is set to 'y', - 1 if CONFIG_SPL_BUILD is defined and CONFIG_SPL_DM_I2C is set to 'y', - 0 otherwise. All occurences were replaced automatically using these bash cmds: $ find . -type f -exec sed -i 's/ifndef CONFIG_DM_I2C/if !CONFIG_IS_ENABLED(DM_I2C)/g' {} + $ find . -type f -exec sed -i 's/ifdef CONFIG_DM_I2C/if CONFIG_IS_ENABLED(DM_I2C)/g' {} + $ find . -type f -exec sed -i 's/defined(CONFIG_DM_I2C)/CONFIG_IS_ENABLED(DM_I2C)/g' {} + $ find . -type f -exec sed -i 's/ifndef CONFIG_DM_I2C_GPIO/if !CONFIG_IS_ENABLED(DM_I2C_GPIO)/g' {} + $ find . -type f -exec sed -i 's/ifdef CONFIG_DM_I2C_GPIO/if CONFIG_IS_ENABLED(DM_I2C_GPIO)/g' {} + $ find . -type f -exec sed -i 's/defined(CONFIG_DM_I2C_GPIO)/CONFIG_IS_ENABLED(DM_I2C_GPIO)/g' {} + Reviewed-by: Heiko Schocher <hs@denx.de> Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io> Reviewed-by: Tom Rini <trini@konsulko.com> Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com> 
Use CONFIG_IS_ENABLED() macro, which provides more convenient
way to check $(SPL)DM_I2C/$(SPL)DM_I2C_GPIO configs
for both SPL and U-Boot proper.

CONFIG_IS_ENABLED(DM_I2C) expands to:
- 1 if CONFIG_SPL_BUILD is undefined and CONFIG_DM_I2C is set to 'y',
- 1 if CONFIG_SPL_BUILD is defined and CONFIG_SPL_DM_I2C is set to 'y',
- 0 otherwise.

All occurences were replaced automatically using these bash cmds:
$ find . -type f -exec sed -i
     's/ifndef CONFIG_DM_I2C/if !CONFIG_IS_ENABLED(DM_I2C)/g' {} +
$ find . -type f -exec sed -i
    's/ifdef CONFIG_DM_I2C/if CONFIG_IS_ENABLED(DM_I2C)/g' {} +
$ find . -type f -exec sed -i
    's/defined(CONFIG_DM_I2C)/CONFIG_IS_ENABLED(DM_I2C)/g' {} +
$ find . -type f -exec sed -i
    's/ifndef CONFIG_DM_I2C_GPIO/if !CONFIG_IS_ENABLED(DM_I2C_GPIO)/g' {} +
$ find . -type f -exec sed -i
    's/ifdef CONFIG_DM_I2C_GPIO/if CONFIG_IS_ENABLED(DM_I2C_GPIO)/g' {} +
$ find . -type f -exec sed -i
    's/defined(CONFIG_DM_I2C_GPIO)/CONFIG_IS_ENABLED(DM_I2C_GPIO)/g' {} +

Reviewed-by: Heiko Schocher <hs@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>