lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 3 Jun 2016 13:00:45 +0100
From:	Jonathan Cameron <jic23@...nel.org>
To:	michael.hennerich@...log.com,
	Colin King <colin.king@...onical.com>,
	Lars-Peter Clausen <lars@...afoo.de>,
	Hartmut Knaack <knaack.h@....de>,
	Peter Meerwald-Stadler <pmeerw@...erw.net>,
	linux-iio@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iio: dac: fix off-by-one comparison and out-of-bounds
 write

On 02/06/16 11:53, Michael Hennerich wrote:
> On 06/02/2016 12:06 PM, Colin King wrote:
>> From: Colin Ian King <colin.king@...onical.com>
>>
>> The check on reg is off-by-one, it should be >= rather than >. Fix
>> this to stop an out-of-bounds write to st->channel_modes[reg].
>>
>> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> 
> Acked-by: Michael Hennerich <michael.hennerich@...log.com>
Already have a fix queued from the 29th of April - will push out
in the next few days.  It just managed to miss going out in the
last cycle by a few days.

Thanks,

Jonathan

> 
>> ---
>>   drivers/iio/dac/ad5592r-base.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/iio/dac/ad5592r-base.c b/drivers/iio/dac/ad5592r-base.c
>> index 948f600..69bde59 100644
>> --- a/drivers/iio/dac/ad5592r-base.c
>> +++ b/drivers/iio/dac/ad5592r-base.c
>> @@ -525,7 +525,7 @@ static int ad5592r_alloc_channels(struct ad5592r_state *st)
>>
>>       device_for_each_child_node(st->dev, child) {
>>           ret = fwnode_property_read_u32(child, "reg", &reg);
>> -        if (ret || reg > ARRAY_SIZE(st->channel_modes))
>> +        if (ret || reg >= ARRAY_SIZE(st->channel_modes))
>>               continue;
>>
>>           ret = fwnode_property_read_u32(child, "adi,mode", &tmp);
>>
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ