| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241125191009.28535-1-advaitdhamorikar@gmail.com>
Date: Tue, 26 Nov 2024 00:40:09 +0530
From: Advait Dhamorikar <advaitdhamorikar@...il.com>
To: Drew Fustini <drew@...7.com>,
Guo Ren <guoren@...nel.org>,
Fu Wei <wefu@...hat.com>,
Jassi Brar <jassisinghbrar@...il.com>
Cc: linux-riscv@...ts.infradead.org,
linux-kernel@...r.kernel.org,
Advait Dhamorikar <advaitdhamorikar@...il.com>
Subject: [PATCH-next] mailbox: th1520: Fix out of bounds write
The loop in the function iterates up to `TH_1520_MBOX_CHANS`,
but the `ctx->intr_mask` array only has 3 elements. When
`TH_1520_MBOX_CHANS` is set to a value larger than 3, this
causes an out-of-bounds write at `ctx->intr_mask[3]`.
This could cause an immediate crash or incorrect computations.
Signed-off-by: Advait Dhamorikar <advaitdhamorikar@...il.com>
---
drivers/mailbox/mailbox-th1520.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mailbox/mailbox-th1520.c b/drivers/mailbox/mailbox-th1520.c
index 4e84640ac3b8..759634a4fb72 100644
--- a/drivers/mailbox/mailbox-th1520.c
+++ b/drivers/mailbox/mailbox-th1520.c
@@ -532,6 +532,9 @@ static int __maybe_unused th1520_mbox_suspend_noirq(struct device *dev)
* INFO data all assumed to be lost.
*/
for (i = 0; i < TH_1520_MBOX_CHANS; i++) {
+ if (i >= ARRAY_SIZE(ctx->intr_mask))
+ break;
+
ctx->intr_mask[i] =
ioread32(priv->local_icu[i] + TH_1520_MBOX_MASK);
}
--
2.34.1
Powered by blists - more mailing lists