| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABb+yY3Qc9G0RZQ8aX8SJhWiWEjOVcAgmB9HKQ9vVN+Lm0=HNA@mail.gmail.com>
Date: Sat, 18 Jan 2025 13:30:11 -0600
From: Jassi Brar <jassisinghbrar@...il.com>
To: Advait Dhamorikar <advaitdhamorikar@...il.com>, m.wilczynski@...sung.com
Cc: Drew Fustini <drew@...7.com>, Guo Ren <guoren@...nel.org>, Fu Wei <wefu@...hat.com>,
linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH-next] mailbox: th1520: Fix out of bounds write
On Mon, Nov 25, 2024 at 1:10 PM Advait Dhamorikar
<advaitdhamorikar@...il.com> wrote:
>
> The loop in the function iterates up to `TH_1520_MBOX_CHANS`,
> but the `ctx->intr_mask` array only has 3 elements. When
> `TH_1520_MBOX_CHANS` is set to a value larger than 3, this
> causes an out-of-bounds write at `ctx->intr_mask[3]`.
> This could cause an immediate crash or incorrect computations.
>
> Signed-off-by: Advait Dhamorikar <advaitdhamorikar@...il.com>
> ---
> drivers/mailbox/mailbox-th1520.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/mailbox/mailbox-th1520.c b/drivers/mailbox/mailbox-th1520.c
> index 4e84640ac3b8..759634a4fb72 100644
> --- a/drivers/mailbox/mailbox-th1520.c
> +++ b/drivers/mailbox/mailbox-th1520.c
> @@ -532,6 +532,9 @@ static int __maybe_unused th1520_mbox_suspend_noirq(struct device *dev)
> * INFO data all assumed to be lost.
> */
> for (i = 0; i < TH_1520_MBOX_CHANS; i++) {
> + if (i >= ARRAY_SIZE(ctx->intr_mask))
> + break;
> +
Maybe simply reduce the loop by one OR iterate for
ARRAY_SIZE(ctx->intr_mask), here and elsewhere?
I have a gut feeling that intr_mask is declared one element short.
CC'ing the author.
Thanks
Powered by blists - more mailing lists