From 0627cef36145c9ff9845bdfd7ddf485bbac1f981 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 14 Jun 2024 20:30:44 +0300 Subject: ipmi: ssif_bmc: prevent integer overflow on 32bit systems There are actually two bugs here. First, we need to ensure that count is at least sizeof(u32) or msg.len will be uninitialized data. The "msg.len" variable is a u32 that comes from the user. On 32bit systems the "sizeof_field(struct ipmi_ssif_msg, len) + msg.len" addition can overflow if "msg.len" is greater than U32_MAX - 4. Valid lengths for "msg.len" are 1-254. Add a check for that to prevent the integer overflow. Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver") Signed-off-by: Dan Carpenter Message-Id: <1431ca2e-4e9c-4520-bfc0-6879313c30e9@moroto.mountain> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ssif_bmc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c index 56346fb32872..ab4e87a99f08 100644 --- a/drivers/char/ipmi/ssif_bmc.c +++ b/drivers/char/ipmi/ssif_bmc.c @@ -177,13 +177,15 @@ static ssize_t ssif_bmc_write(struct file *file, const char __user *buf, size_t unsigned long flags; ssize_t ret; - if (count > sizeof(struct ipmi_ssif_msg)) + if (count < sizeof(msg.len) || + count > sizeof(struct ipmi_ssif_msg)) return -EINVAL; if (copy_from_user(&msg, buf, count)) return -EFAULT; - if (!msg.len || count < sizeof_field(struct ipmi_ssif_msg, len) + msg.len) + if (!msg.len || msg.len > IPMI_SSIF_PAYLOAD_MAX || + count < sizeof_field(struct ipmi_ssif_msg, len) + msg.len) return -EINVAL; spin_lock_irqsave(&ssif_bmc->lock, flags); -- cgit From 19a01155ddfe525e3a4e7cef734f18cce640b1ef Mon Sep 17 00:00:00 2001 From: Uwe Kleine-König Date: Mon, 8 Jul 2024 17:09:12 +0200 Subject: ipmi: Drop explicit initialization of struct i2c_device_id::driver_data to 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These drivers don't use the driver_data member of struct i2c_device_id, so don't explicitly initialize this member. This prepares putting driver_data in an anonymous union which requires either no initialization or named designators. But it's also a nice cleanup on its own. While at it, also remove commas after the sentinel entries. Signed-off-by: Uwe Kleine-König Message-Id: <20240708150914.18190-2-u.kleine-koenig@baylibre.com> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmb_dev_int.c | 4 ++-- drivers/char/ipmi/ipmi_ipmb.c | 4 ++-- drivers/char/ipmi/ipmi_ssif.c | 2 +- drivers/char/ipmi/ssif_bmc.c | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c index 49100845fcb7..7296127181ec 100644 --- a/drivers/char/ipmi/ipmb_dev_int.c +++ b/drivers/char/ipmi/ipmb_dev_int.c @@ -350,8 +350,8 @@ static void ipmb_remove(struct i2c_client *client) } static const struct i2c_device_id ipmb_id[] = { - { "ipmb-dev", 0 }, - {}, + { "ipmb-dev" }, + {} }; MODULE_DEVICE_TABLE(i2c, ipmb_id); diff --git a/drivers/char/ipmi/ipmi_ipmb.c b/drivers/char/ipmi/ipmi_ipmb.c index 4e335832fc26..6a4f279c7c1f 100644 --- a/drivers/char/ipmi/ipmi_ipmb.c +++ b/drivers/char/ipmi/ipmi_ipmb.c @@ -561,8 +561,8 @@ MODULE_DEVICE_TABLE(of, of_ipmi_ipmb_match); #endif static const struct i2c_device_id ipmi_ipmb_id[] = { - { DEVICE_NAME, 0 }, - {}, + { DEVICE_NAME }, + {} }; MODULE_DEVICE_TABLE(i2c, ipmi_ipmb_id); diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 3f509a22217b..96ad571d041a 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -2049,7 +2049,7 @@ static int dmi_ipmi_probe(struct platform_device *pdev) #endif static const struct i2c_device_id ssif_id[] = { - { DEVICE_NAME, 0 }, + { DEVICE_NAME }, { } }; MODULE_DEVICE_TABLE(i2c, ssif_id); diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c index ab4e87a99f08..a14fafc583d4 100644 --- a/drivers/char/ipmi/ssif_bmc.c +++ b/drivers/char/ipmi/ssif_bmc.c @@ -852,8 +852,8 @@ static const struct of_device_id ssif_bmc_match[] = { MODULE_DEVICE_TABLE(of, ssif_bmc_match); static const struct i2c_device_id ssif_bmc_id[] = { - { DEVICE_NAME, 0 }, - { }, + { DEVICE_NAME }, + { } }; MODULE_DEVICE_TABLE(i2c, ssif_bmc_id); -- cgit