Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / trini / u-boot / 1aa9a04ff687b8d55b0fb68ae2a688c8705665cc^! / .
commit1aa9a04ff687b8d55b0fb68ae2a688c8705665cc[log] [tgz]
authorMarek Vasut <marex@denx.de>Fri Aug 26 23:15:55 2022 +0200
committerTom Rini <trini@konsulko.com>Wed Aug 31 12:21:31 2022 -0400
tree91c54c3e0915ee095705e9d203d1528dff423bed
parent6eea9408ac1e2607c231f3049953261b327d7b14 [diff]
Revert "i2c: fix stack buffer overflow vulnerability in i2c md command"

This reverts commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409.

The commit is largely wrong and breaks most of i2c command functionality.
The problem described in the aforementioned commit commit message is valid,
however the commit itself does many more changes unrelated to fixing that
one problem it describes. Those extra changes, namely the handling of i2c
device address length as unsigned instead of signed integer, breaks the
expectation that address length may be negative value. The negative value
is used by DM to indicate that address length of device does not change.

The actual bug documented in commit 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409
can be fixed by extra sanitization in separate patch.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Heiko Schocher <hs@denx.de>
Cc: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/cmd/i2c.c b/cmd/i2c.c
index bd04b14..9050b2b 100644
--- a/cmd/i2c.c
+++ b/cmd/i2c.c

@@ -200,10 +200,10 @@
  *
  * Returns the address length.
  */
-static uint get_alen(char *arg, uint default_len)
+static uint get_alen(char *arg, int default_len)
 {
-	uint	j;
-	uint	alen;
+	int	j;
+	int	alen;
 
 	alen = default_len;
 	for (j = 0; j < 8; j++) {
@@ -247,7 +247,7 @@
 {
 	uint	chip;
 	uint	devaddr, length;
-	uint	alen;
+	int alen;
 	u_char  *memaddr;
 	int ret;
 #if CONFIG_IS_ENABLED(DM_I2C)
@@ -301,7 +301,7 @@
 {
 	uint	chip;
 	uint	devaddr, length;
-	uint	alen;
+	int alen;
 	u_char  *memaddr;
 	int ret;
 #if CONFIG_IS_ENABLED(DM_I2C)
@@ -469,8 +469,8 @@
 {
 	uint	chip;
 	uint	addr, length;
-	uint	alen;
-	uint	j, nbytes, linebytes;
+	int alen;
+	int	j, nbytes, linebytes;
 	int ret;
 #if CONFIG_IS_ENABLED(DM_I2C)
 	struct udevice *dev;
@@ -589,9 +589,9 @@
 {
 	uint	chip;
 	ulong	addr;
-	uint	alen;
+	int	alen;
 	uchar	byte;
-	uint	count;
+	int	count;
 	int ret;
 #if CONFIG_IS_ENABLED(DM_I2C)
 	struct udevice *dev;
@@ -676,8 +676,8 @@
 {
 	uint	chip;
 	ulong	addr;
-	uint	alen;
-	uint	count;
+	int	alen;
+	int	count;
 	uchar	byte;
 	ulong	crc;
 	ulong	err;
@@ -985,7 +985,7 @@
 		       char *const argv[])
 {
 	uint	chip;
-	uint	alen;
+	int alen;
 	uint	addr;
 	uint	length;
 	u_char	bytes[16];