2298142 – (CVE-2022-48806) CVE-2022-48806 kernel: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX

Bug 2298142 (CVE-2022-48806) - CVE-2022-48806 kernel: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX

Summary: CVE-2022-48806 kernel: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX

Keywords:
Status:	NEW
Alias:	CVE-2022-48806
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-16 12:29 UTC by OSIDB Bzimport
Modified:	2024-10-18 14:53 UTC (History)
CC List:	5 users (show)
Fixed In Version:	kernel 5.4.180, kernel 5.10.101, kernel 5.15.24, kernel 5.16.10
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-16 12:29:32 UTC

In the Linux kernel, the following vulnerability has been resolved:

eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX

Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer
size") revealed that ee1004_eeprom_read() did not properly limit how
many bytes to read at once.

In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the
length to read as an u8.  If count == 256 after taking into account the
offset and page boundary, the cast to u8 overflows.  And this is common
when user space tries to read the entire EEPROM at once.

To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already
the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows.

Comment 11 David Arcari 2024-07-18 17:08:12 UTC

Upstream commit c0689e46be23160d925dca95dfc411f1a0462708 was backported to RHEL9.1 as commit 60049987d61e90961167d32926285a228a1e1da7 via: https://bugzilla.redhat.com/show_bug.cgi?id=2040028

Note You need to log in before you can comment on or make changes to this bug.