This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/1934304 Title: i2c-mlxbf.c: prevent stack overflow in mlxbf_i2c_smbus_start_transaction Status in linux-bluefield package in Ubuntu: Invalid Status in linux-bluefield source package in Focal: Fix Committed Bug description: SRU Justification: [Impact] There could be stack overflow in mlxbf_i2c_smbus_start_transaction(). memcpy() is called in a loop while 'operation->length' upper bound is not checked and 'data_idx' also increments. More details: The operation length is verified by the caller functions so it cannot exceed I2C_SMBUS_BLOCK_MAX bytes (32 bytes) for each operation that is a part of the write. Data_desc array is 128 bytes in size. So potentially a request which consists of 4 writes, 32 bytes each can trigger an off-by-one or off-by-two overflow, because the first byte of data_desc is used by addr, effectively decreasing the available data_desc buffer size by one. Functions like mlx_smbus_i2c_block_func() that prepare the request also set the length of the first write operation to one and store the command id there, so the target buffer size again decreases data_desc by one, making it two bytes less than expected. [Fix] * Add a check for "operation->length" and data_idx and return error if reached upper bound. [Test Case] * Test the i2c-mlxbf.c driver using IPMB functionality. [Regression Potential] This fix returns a negative value to indicate that a transaction has failed. So it will catch more transactions failures. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1934304/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
