| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-48806: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX |
| |
| Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer |
| size") revealed that ee1004_eeprom_read() did not properly limit how |
| many bytes to read at once. |
| |
| In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the |
| length to read as an u8. If count == 256 after taking into account the |
| offset and page boundary, the cast to u8 overflows. And this is common |
| when user space tries to read the entire EEPROM at once. |
| |
| To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already |
| the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows. |
| |
| The Linux kernel CVE team has assigned CVE-2022-48806 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.4.174 with commit aca56c298e2a6d20ab6308e203a8d37f2a7759d3 and fixed in 5.4.180 with commit 3937c35493ee2847aaefcfa5460e94b7443eef49 |
| Issue introduced in 5.10.94 with commit 25714ad6bf5e98025579fa4c08ff2041a663910c and fixed in 5.10.101 with commit a37960df7eac3cc8094bd1ab84864e9e32c91345 |
| Issue introduced in 5.15.17 with commit be9313f755a7bfa02230b15731d07074d5255ecb and fixed in 5.15.24 with commit 9a5f471ae380f9fcb9756d453c12ca1f8595a93c |
| Issue introduced in 5.16.3 with commit 07d9beb6e3c2e852e884113d6803ea4b3643ae38 and fixed in 5.16.10 with commit 9443ddeb3754e9e382a396b50adc1961301713ce |
| Issue introduced in 4.4.300 with commit 74650c34f93044d3ab441235f161f9e1e761e96b |
| Issue introduced in 4.9.298 with commit a126a8c3dd51519513141b4fc94fd4813bca2c0f |
| Issue introduced in 4.14.263 with commit 202d0e22fe512df0f1cb6253d40ce1058e373247 |
| Issue introduced in 4.19.226 with commit 7414af7bdad9a9cddb3a765ca98ea207048618c5 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-48806 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/misc/eeprom/ee1004.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49 |
| https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345 |
| https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c |
| https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce |
| https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708 |
