lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251110134423.432612-1-devsec@tpz.ru>
Date: Mon, 10 Nov 2025 13:44:22 +0000
From: Ilya Krutskih <devsec@....ru>
To: <sdl@...dev.space>
CC: Ilya Krutskih <devsec@....ru>, <andrew+netdev@...n.ch>,
	<davem@...emloft.net>, <edumazet@...gle.com>, <kuba@...nel.org>,
	<pabeni@...hat.com>, <tglx@...utronix.de>, <mingo@...nel.org>,
	<netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<stable@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: [PATCH] net: fealnx: fixed possible out of band acces to an array

fixed possible out of band access to an array 
If the fealnx_init_one() function is called more than MAX_UNITS times 
or card_idx is less than zero

Added a check: 0 <= card_idx < MAX_UNITS

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Ilya Krutskih <devsec@....ru>
---
 drivers/net/ethernet/fealnx.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/fealnx.c b/drivers/net/ethernet/fealnx.c
index 6ac8547ef9b8..c7f2141a01fe 100644
--- a/drivers/net/ethernet/fealnx.c
+++ b/drivers/net/ethernet/fealnx.c
@@ -491,8 +491,8 @@ static int fealnx_init_one(struct pci_dev *pdev,
 
 	card_idx++;
 	sprintf(boardname, "fealnx%d", card_idx);
-
-	option = card_idx < MAX_UNITS ? options[card_idx] : 0;
+	if (card_idx >= 0)
+		option = card_idx < MAX_UNITS ? options[card_idx] : 0;
 
 	i = pci_enable_device(pdev);
 	if (i) return i;
@@ -623,7 +623,7 @@ static int fealnx_init_one(struct pci_dev *pdev,
 		np->default_port = option & 15;
 	}
 
-	if (card_idx < MAX_UNITS && full_duplex[card_idx] > 0)
+	if ((0 <= card_idx && MAX_UNITS > card_idx) && full_duplex[card_idx] > 0)
 		np->mii.full_duplex = full_duplex[card_idx];
 
 	if (np->mii.full_duplex) {
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ