lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250414-fix_swnode-v2-1-9c9e6ae11eab@quicinc.com>
Date: Mon, 14 Apr 2025 19:36:52 +0800
From: Zijun Hu <zijun_hu@...oud.com>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, 
 Daniel Scally <djrscally@...il.com>, 
 Heikki Krogerus <heikki.krogerus@...ux.intel.com>, 
 Sakari Ailus <sakari.ailus@...ux.intel.com>, 
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
 "Rafael J. Wysocki" <rafael@...nel.org>, Danilo Krummrich <dakr@...nel.org>
Cc: Zijun Hu <zijun_hu@...oud.com>, linux-acpi@...r.kernel.org, 
 linux-kernel@...r.kernel.org, Zijun Hu <quic_zijuhu@...cinc.com>
Subject: [PATCH v2] software node: Correct a OOB check in
 software_node_get_reference_args()

From: Zijun Hu <quic_zijuhu@...cinc.com>

software_node_get_reference_args() wants to get @index-th element, so
the property value requires at least '(index + 1) * sizeof(*ref)' bytes
but that can not be guaranteed by current OOB check, and may cause OOB
for malformed property.

Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'.

Reviewed-by: Sakari Ailus <sakari.ailus@...ux.intel.com>
Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
---
Changes in v2:
- Drop the first patch
- Optimize comments for the secondary patch.
- Link to v1: https://lore.kernel.org/r/20250410-fix_swnode-v1-0-081c95cf7cf9@quicinc.com
---
 drivers/base/swnode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
index b1726a3515f6fbe13c2186af1f74479263798e42..22bed2d35b2e89b6ac741c73b0190dfe67b35f71 100644
--- a/drivers/base/swnode.c
+++ b/drivers/base/swnode.c
@@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
 	if (prop->is_inline)
 		return -EINVAL;
 
-	if (index * sizeof(*ref) >= prop->length)
+	if ((index + 1) * sizeof(*ref) > prop->length)
 		return -ENOENT;
 
 	ref_array = prop->pointer;

---
base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8
change-id: 20250410-fix_swnode-4986ff1b3534

Best regards,
-- 
Zijun Hu <quic_zijuhu@...cinc.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ