Unnamed repository; edit this file 'description' to name the repository. http://cgit.235523.xyz/u-boot.git/atom/cmd/i2c.c?h=v2024.01 2023-10-16T14:24:58Z 2023-10-16T14:24:58Z Tom Rini trini@konsulko.com 2023-10-07T19:13:08Z urn:sha1:3616218b5acea74011aea2d14aa1f6366f242849 - Generally we just drop the #ifdef CONFIG_SYS_LONGHELP and endif lines and use U_BOOT_LONGHELP to declare the same variable name as before - In a few places, either rename the variable to follow convention or introduce the variable as it was being done inline before. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> 2023-09-14T14:42:24Z Marek Vasut marek.vasut+renesas@mailbox.org 2023-09-06T21:29:52Z urn:sha1:05f84bd2acc698b22395f14b1e78825a6c085d6a The last user of the NEEDS_MANUAL_RELOC has been removed in commit 26af162ac8f8 ("arch: m68k: Implement relocation") Remove now unused NEEDS_MANUAL_RELOC code. Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> 2022-12-23T15:15:12Z Tom Rini trini@konsulko.com 2022-12-04T15:13:57Z urn:sha1:d8964b3e1d7233a1b45679c57985575ec0056022 Perform a simple rename of CONFIG_SYS_I2C_DIRECT_BUS to CFG_SYS_I2C_DIRECT_BUS Signed-off-by: Tom Rini <trini@konsulko.com> 2022-12-22T15:31:48Z Tom Rini trini@konsulko.com 2022-12-02T21:42:30Z urn:sha1:1353b25ec58eba4cd26f4101ebb1b6047838a105 This functionality is part of the legacy I2C subsystem and is currently unused anywhere. Remove the remaining references. Signed-off-by: Tom Rini <trini@konsulko.com> 2022-12-05T21:06:08Z Tom Rini trini@konsulko.com 2022-11-16T18:10:41Z urn:sha1:65cc0e2a65d2c9f107b2f42db6396d9ade6c5ad8 The rest of the unmigrated CONFIG symbols in the CONFIG_SYS namespace do not easily transition to Kconfig. In many cases they likely should come from the device tree instead. Move these out of CONFIG namespace and in to CFG namespace. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> 2022-12-05T21:06:07Z Tom Rini trini@konsulko.com 2022-11-16T18:10:29Z urn:sha1:cdc5ed8f1f2add27105151ecf61a07c5d4c3684a The rest of the unmigrated CONFIG symbols in the CONFIG_SYS_NUM namespace do not easily transition to Kconfig. In many cases they likely should come from the device tree instead. Move these out of CONFIG namespace and in to CFG namespace. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> 2022-08-31T16:21:47Z Marek Vasut marex@denx.de 2022-08-26T21:15:56Z urn:sha1:e4573fef7701afc2df22924ce0a445b923475afc This reinstates fix from commit 8f8c04bf1ebb ("i2c: fix stack buffer overflow vulnerability in i2c md command") without the changes unrelated to the actual fix. Avoid the underflow by setting only nbytes and linebytes as unsigned integers. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Heiko Schocher <hs@denx.de> Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr> Cc: Simon Glass <sjg@chromium.org> Cc: Tim Harvey <tharvey@gateworks.com> Acked-by: Tim Harvey <tharvey@gateworks.com> 2022-08-31T16:21:31Z Marek Vasut marex@denx.de 2022-08-26T21:15:55Z urn:sha1:1aa9a04ff687b8d55b0fb68ae2a688c8705665cc This reverts commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409. The commit is largely wrong and breaks most of i2c command functionality. The problem described in the aforementioned commit commit message is valid, however the commit itself does many more changes unrelated to fixing that one problem it describes. Those extra changes, namely the handling of i2c device address length as unsigned instead of signed integer, breaks the expectation that address length may be negative value. The negative value is used by DM to indicate that address length of device does not change. The actual bug documented in commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 can be fixed by extra sanitization in separate patch. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Heiko Schocher <hs@denx.de> Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr> Cc: Simon Glass <sjg@chromium.org> Cc: Tim Harvey <tharvey@gateworks.com> Reviewed-by: Simon Glass <sjg@chromium.org> 2022-06-28T19:51:56Z Nicolas Iooss nicolas.iooss+uboot@ledger.fr 2022-06-10T14:50:25Z urn:sha1:8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 When running "i2c md 0 0 80000100", the function do_i2c_md parses the length into an unsigned int variable named length. The value is then moved to a signed variable: int nbytes = length; #define DISP_LINE_LEN 16 int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes; ret = dm_i2c_read(dev, addr, linebuf, linebytes); On systems where integers are 32 bits wide, 0x80000100 is a negative value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned 0x80000100 instead of 16. The consequence is that the function which reads from the i2c device (dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill but with a size parameter which is too large. In some cases, this could trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c (used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to a 16-bit integer. This is because function i2c_transfer expects an unsigned short length. In such a case, an attacker who can control the response of an i2c device can overwrite the return address of a function and execute arbitrary code through Return-Oriented Programming. Fix this issue by using unsigned integers types in do_i2c_md. While at it, make also alen unsigned, as signed sizes can cause vulnerabilities when people forgot to check that they can be negative. Signed-off-by: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr> Reviewed-by: Heiko Schocher <hs@denx.de> 2021-08-30T18:10:07Z Tom Rini trini@konsulko.com 2021-08-19T03:12:31Z urn:sha1:1edef7693b576f7ab208a697bb01f033b68041fb There are no longer any cases where we are neither SYS_I2C_LEGACY nor DM_I2C. Remove these code paths. Signed-off-by: Tom Rini <trini@konsulko.com>