diff mbox

DIBUSB_MC : fix i2c to not corrupt eeprom in case of strange read pattern

Message ID 4A0EBACD.6070601@free.fr (mailing list archive)
State Superseded
Headers show

Commit Message

Matthieu Castet May 16, 2009, 1:08 p.m. UTC 
Hi,


dibusb_i2c_xfer seems to do things very dangerous :
it assumes that it get only write/read request or write request.

That means that read can be understood as write. For example a program
doing
file = open("/dev/i2c-x", O_RDWR);
ioctl(file, I2C_SLAVE, 0x50)
read(file, data, 10)
will corrupt the eeprom as it will be understood as a write.

I attach a possible (untested) patch.


Matthieu

Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>
Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>

Comments

Patrick Boettcher May 20, 2009, 8:42 a.m. UTC | #1 
Hi Matthieu,

On Sat, 16 May 2009, matthieu castet wrote:

> Hi,
>
>
> dibusb_i2c_xfer seems to do things very dangerous :
> it assumes that it get only write/read request or write request.
>
> That means that read can be understood as write. For example a program
> doing
> file = open("/dev/i2c-x", O_RDWR);
> ioctl(file, I2C_SLAVE, 0x50)
> read(file, data, 10)
> will corrupt the eeprom as it will be understood as a write.
>
> I attach a possible (untested) patch.
>
>
> Matthieu
>
> Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>

thanks a lot for your patch. I applied it, but could not test. But even 
it is breaks things, it's better to prevent those "false-reads" than not 
having this protection. Any breakage we will fix later.

Patrick.

--
   Mail: patrick.boettcher@desy.de
   WWW:  http://www.wi-bw.tfh-wildau.de/~pboettch/
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

Index: linux-2.6/drivers/media/dvb/dvb-usb/dibusb-common.c
===================================================================
--- linux-2.6.orig/drivers/media/dvb/dvb-usb/dibusb-common.c	2009-02-09 20:36:03.000000000 +0100
+++ linux-2.6/drivers/media/dvb/dvb-usb/dibusb-common.c	2009-02-09 20:38:21.000000000 +0100
@@ -133,14 +133,18 @@ 
 
 	for (i = 0; i < num; i++) {
 		/* write/read request */
-		if (i+1 < num && (msg[i+1].flags & I2C_M_RD)) {
+		if (i+1 < num && (msg[i].flags & I2C_M_RD) == 0
+					  && (msg[i+1].flags & I2C_M_RD)) {
 			if (dibusb_i2c_msg(d, msg[i].addr, msg[i].buf,msg[i].len,
 						msg[i+1].buf,msg[i+1].len) < 0)
 				break;
 			i++;
-		} else
+		} else if ((msg[i].flags & I2C_M_RD) == 0) {
 			if (dibusb_i2c_msg(d, msg[i].addr, msg[i].buf,msg[i].len,NULL,0) < 0)
 				break;
+		}
+		else
+			break;
 	}
 
 	mutex_unlock(&d->i2c_mutex);