| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 May 2021 13:42:49 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: "yukuai (C)" <yukuai3@...wei.com>
Cc: laforge@...monks.org, arnd@...db.de, akpm@...l.org,
linux-kernel@...r.kernel.org, yi.zhang@...wei.com
Subject: Re: [PATCH] char: pcmcia: fix possible array index out of bounds in
set_protocol()
On Fri, May 21, 2021 at 07:34:52PM +0800, yukuai (C) wrote:
> On 2021/05/21 18:59, Greg KH wrote:
> > On Fri, May 21, 2021 at 06:07:05PM +0800, Yu Kuai wrote:
> > > The length of array 'pts_reply' is 4, and the loop in set_protocol()
> > > will access array element from 0 to num_bytes_read - 1. Thus if
> > > io_read_num_rec_bytes() gets 'num_bytes_read' more than 4, it will
> > > cause index out of bounds errors.
> >
> > And how can num_bytes_read be greater than 4?
>
> Hi
>
> Do you mean num_bytes_read here should never be greater than 4?
>
> 544 io_read_num_rec_bytes(iobase, &num_bytes_read);
> 545 if (num_bytes_read >= 4) {
> 546 DEBUGP(2, dev, "NumRecBytes = %i\n",
> num_bytes_read);
> 547 break;
Like I said, it is tested if it is bigger, but then nothing happens if
that is true. So try to error out here.
> > Ah, it is tested, but you might want to error out if that happens, as
> > obviously something went wrong.
> >
> > Do you have this hardware to test these changes?
>
> Sorry we don't have this hardware...
Ah, then I wouldn't worry about it, as odds are, no one else does either :)
thanks,
greg k-h
Powered by blists - more mailing lists