lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 7 Mar 2024 11:04:52 +0300
From: Aleksandr Mishin <amishin@...rgos.ru>
To: Madalin Bucur <madalin.bucur@....com>
CC: Aleksandr Mishin <amishin@...rgos.ru>, Sean Anderson
	<sean.anderson@...o.com>, "David S. Miller" <davem@...emloft.net>, Eric
 Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, Igal Liberman <igal.liberman@...escale.com>,
	<netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<lvc-project@...uxtesting.org>
Subject: [PATCH] fsl/fman: Add array size check

In fman_register_intr() and fman_unregister_intr()
get_module_event() is assigned to event which is then used
as array index without size check.
Fix this bug by adding a check of event.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 414fd46e7762 (fsl/fman: Add FMan support)
Signed-off-by: Aleksandr Mishin <amishin@...rgos.ru>
---
 drivers/net/ethernet/freescale/fman/fman.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
index d96028f01770..902d05ffff1b 100644
--- a/drivers/net/ethernet/freescale/fman/fman.c
+++ b/drivers/net/ethernet/freescale/fman/fman.c
@@ -2054,7 +2054,10 @@ void fman_register_intr(struct fman *fman, enum fman_event_modules module,
 	int event = 0;
 
 	event = get_module_event(module, mod_id, intr_type);
-	WARN_ON(event >= FMAN_EV_CNT);
+	if (event >= FMAN_EV_CNT) {
+		WARN_ON(event >= FMAN_EV_CNT);
+		return;
+	}
 
 	/* register in local FM structure */
 	fman->intr_mng[event].isr_cb = isr_cb;
@@ -2079,7 +2082,10 @@ void fman_unregister_intr(struct fman *fman, enum fman_event_modules module,
 	int event = 0;
 
 	event = get_module_event(module, mod_id, intr_type);
-	WARN_ON(event >= FMAN_EV_CNT);
+	if (event >= FMAN_EV_CNT) {
+		WARN_ON(event >= FMAN_EV_CNT);
+		return;
+	}
 
 	fman->intr_mng[event].isr_cb = NULL;
 	fman->intr_mng[event].src_handle = NULL;
-- 
2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ