CVE-2022-50394

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: ismt: Fix an out-of-bounds bug in ismt_access()<br /> <br /> When the driver does not check the data from the user, the variable<br /> &amp;#39;data-&gt;block[0]&amp;#39; may be very large to cause an out-of-bounds bug.<br /> <br /> The following log can reveal it:<br /> <br /> [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20<br /> [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE<br /> [ 33.996475] ==================================================================<br /> [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b<br /> [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485<br /> [ 33.999450] Call Trace:<br /> [ 34.001849] memcpy+0x20/0x60<br /> [ 34.002077] ismt_access.cold+0x374/0x214b<br /> [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0<br /> [ 34.004007] i2c_smbus_xfer+0x10a/0x390<br /> [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710<br /> [ 34.005196] i2cdev_ioctl+0x5ec/0x74c<br /> <br /> Fix this bug by checking the size of &amp;#39;data-&gt;block[0]&amp;#39; first.