lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241209-of_irq_fix-v1-4-782f1419c8a1@quicinc.com>
Date: Mon, 09 Dec 2024 21:25:02 +0800
From: Zijun Hu <zijun_hu@...oud.com>
To: Rob Herring <robh@...nel.org>, Saravana Kannan <saravanak@...gle.com>, 
 Lorenzo Pieralisi <lpieralisi@...nel.org>, 
 Bjorn Helgaas <bhelgaas@...gle.com>, Marc Zyngier <maz@...nel.org>, 
 Stefan Wiehler <stefan.wiehler@...ia.com>, 
 Grant Likely <grant.likely@...aro.org>, Tony Lindgren <tony@...mide.com>, 
 Kumar Gala <galak@...eaurora.org>, 
 Thierry Reding <thierry.reding@...il.com>, 
 Julia Lawall <Julia.Lawall@...6.fr>, Jamie Iles <jamie@...ieiles.com>, 
 Grant Likely <grant.likely@...retlab.ca>, 
 Benjamin Herrenschmidt <benh@...nel.crashing.org>
Cc: Zijun Hu <zijun_hu@...oud.com>, devicetree@...r.kernel.org, 
 linux-kernel@...r.kernel.org, Rob Herring <rob.herring@...xeda.com>, 
 Zijun Hu <quic_zijuhu@...cinc.com>, stable@...r.kernel.org
Subject: [PATCH 4/8] of/irq: Fix using uninitialized variable @addr_len in
 API of_irq_parse_one()

From: Zijun Hu <quic_zijuhu@...cinc.com>

of_irq_parse_one() may use uninitialized variable @addr_len as shown below:

// @addr_len is uninitialized
int addr_len;

// This operation does not touch @addr_len if it fails.
addr = of_get_property(device, "reg", &addr_len);

// Use uninitialized @addr_len if the operation fails.
if (addr_len > sizeof(addr_buf))
	addr_len = sizeof(addr_buf);

// Check the operation result here.
if (addr)
	memcpy(addr_buf, addr, addr_len);

Fix by initializing @addr_len before the operation.

Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk")
Cc: stable@...r.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
---
 drivers/of/irq.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/of/irq.c b/drivers/of/irq.c
index cb39624a5e7799b9d2f4525f42dac4cd921ab403..64c005dfa23bd157d891f3f10526327deb5e2cfa 100644
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -361,6 +361,7 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
 		return of_irq_parse_oldworld(device, index, out_irq);
 
 	/* Get the reg property (if any) */
+	addr_len = 0;
 	addr = of_get_property(device, "reg", &addr_len);
 
 	/* Prevent out-of-bounds read in case of longer interrupt parent address size */

-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ