| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e7c1cf7e-b007-49cb-9441-31ecdce3614c@roeck-us.net>
Date: Mon, 2 Jun 2025 07:11:34 -0700
From: Guenter Roeck <linux@...ck-us.net>
To: Dan Carpenter <dan.carpenter@...aro.org>,
Enric Balletbo i Serra <eballetbo@...nel.org>
Cc: Wim Van Sebroeck <wim@...ux-watchdog.org>,
linux-watchdog@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] watchdog: ziirave_wdt: check record length in
ziirave_firm_verify()
On 5/28/25 13:22, Dan Carpenter wrote:
> The "rec->len" value comes from the firmware. We generally do
> trust firmware, but it's always better to double check. If
> the length value is too large it would lead to memory corruption
> when we set "data[i] = ret;"
>
> Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
Reviewed-by: Guenetr Roeck <linux@...ck-us.net>
> ---
> drivers/watchdog/ziirave_wdt.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
> index fcc1ba02e75b..5c6e3fa001d8 100644
> --- a/drivers/watchdog/ziirave_wdt.c
> +++ b/drivers/watchdog/ziirave_wdt.c
> @@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
> const u16 len = be16_to_cpu(rec->len);
> const u32 addr = be32_to_cpu(rec->addr);
>
> + if (len > sizeof(data))
> + return -EINVAL;
> +
> if (ziirave_firm_addr_readonly(addr))
> continue;
>
Powered by blists - more mailing lists