[Skiboot] [PATCH v8 28/28] i2c: fix wild dereference
Oliver O'Halloran
oohall at gmail.com
Thu Nov 28 18:10:20 AEDT 2019
On Thu, Nov 28, 2019 at 5:35 PM Nicholas Piggin <npiggin at gmail.com> wrote:
>
> The contents of the buffer is not initialized in the case of a read,
> and not even necessarily at least 8 bytes long. It seems like the
> address is what's wanted.
Nah, it's the data that is interesting. Most I2C transactions are only
a few bytes and op->rw_len indicates how much of that 8 bytes is
actually valid. It's a bit of a dumb hack, but it is an occasionally
useful one.
> Signed-off-by: Nicholas Piggin <npiggin at gmail.com>
> ---
> core/i2c.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/core/i2c.c b/core/i2c.c
> index 6bae83b42..89231e5f9 100644
> --- a/core/i2c.c
> +++ b/core/i2c.c
> @@ -173,10 +173,10 @@ int64_t i2c_request_sync(struct i2c_request *req)
> req->req_state = i2c_req_new;
> }
>
> - prlog(PR_DEBUG, "I2C: %s req op=%x offset=%x buf=%016llx buflen=%d "
> + prlog(PR_DEBUG, "I2C: %s req op=%x offset=%x buf=%p buflen=%d "
> "delay=%lu/%lld rc=%lld\n",
> (rc) ? "!!!!" : "----", req->op, req->offset,
> - *(uint64_t*) req->rw_buf, req->rw_len, tb_to_msecs(waited), req->timeout, rc);
> + req->rw_buf, req->rw_len, tb_to_msecs(waited), req->timeout, rc);
>
> return rc;
> }
> --
> 2.23.0
>
> _______________________________________________
> Skiboot mailing list
> Skiboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot
More information about the Skiboot
mailing list