1 files changed, 38 insertions, 0 deletions

diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch
new file mode 100644
index 000000000..a8aa64856
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch
@@ -0,0 +1,38 @@
+From 407c8708fb1bf2d4afc5337ef50635cf540c364b Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 31 Dec 2021 01:47:50 +0300
+Subject: i2c: validate user data in compat ioctl
+
+[ Upstream commit bb436283e25aaf1533ce061605d23a9564447bdf ]
+
+Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
+Userspace should not be able to trigger warnings, so this patch adds
+validation checks for user data in compact ioctl to prevent reported
+warnings
+
+Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
+Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index 57aece80984166..140dd074fdee5a 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -544,6 +544,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
+ 				   sizeof(rdwr_arg)))
+ 			return -EFAULT;
+ 
++		if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
++			return -EINVAL;
++
+ 		if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
+ 			return -EINVAL;
+ 
+-- 
+cgit 1.2.3-korg
+