diff options
| author | Benjamin Tissoires <[email protected]> | 2018-05-22 17:19:57 -0700 |
|---|---|---|
| committer | Dmitry Torokhov <[email protected]> | 2018-05-23 11:48:59 -0700 |
| commit | 40f7090bb1b4ec327ea1e1402ff5783af5b35195 (patch) | |
| tree | 51057c1d9d179d4790be3f6d3accc65fea8c93a3 /include/linux/fpga/fpga-bridge.h | |
| parent | ad8fb554f04e38f155c9bc34bbf521fc592ceee7 (diff) | |
Input: elan_i2c_smbus - fix corrupted stack
New ICs (like the one on the Lenovo T480s) answer to
ETP_SMBUS_IAP_VERSION_CMD 4 bytes instead of 3. This corrupts the stack
as i2c_smbus_read_block_data() uses the values returned by the i2c
device to know how many data it need to return.
i2c_smbus_read_block_data() can read up to 32 bytes (I2C_SMBUS_BLOCK_MAX)
and there is no safeguard on how many bytes are provided in the return
value. Ensure we always have enough space for any future firmware.
Also 0-initialize the values to prevent any access to uninitialized memory.
Cc: <[email protected]> # v4.4.x, v4.9.x, v4.14.x, v4.15.x, v4.16.x
Signed-off-by: Benjamin Tissoires <[email protected]>
Acked-by: KT Liao <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Diffstat (limited to 'include/linux/fpga/fpga-bridge.h')
0 files changed, 0 insertions, 0 deletions