| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260107162126.1564-1-qikeyu2017@gmail.com>
Date: Thu, 8 Jan 2026 00:21:26 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: tariqt@...dia.com
Cc: linux-kernel@...r.kernel.org,
Kery Qi <qikeyu2017@...il.com>
Subject: [PATCH] mlx4: Fix out of bounds access in __mlx4_register_mac()
__mlx4_register_mac() searches for a free MAC table slot using
`free = -1`. If the requested MAC is not found and there is no
free entry (all refs[] are non-zero), the scan may finish with
`free` still -1, yet the code later uses it as an array index
(entries/refs/is_dup), causing an out-of-bounds access.
Fix this by checking `free < 0` after the scan (and mf-bond slot
selection) and returning an error before touching the arrays.
This matches the same bug pattern fixed by CVE-2010-5332 in
mlx4_register_mac()/mlx4_register_vlan().
Signed-off-by: Kery Qi <qikeyu2017@...il.com>
---
drivers/net/ethernet/mellanox/mlx4/port.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx4/port.c b/drivers/net/ethernet/mellanox/mlx4/port.c
index e3d0b13c1610..ff1cce138357 100644
--- a/drivers/net/ethernet/mellanox/mlx4/port.c
+++ b/drivers/net/ethernet/mellanox/mlx4/port.c
@@ -267,6 +267,11 @@ int __mlx4_register_mac(struct mlx4_dev *dev, u8 port, u64 mac)
if (need_mf_bond && can_mf_bond)
free = free_for_dup;
+ if (free < 0) {
+ err = -ENOMEM;
+ goto out;
+ }
+
mlx4_dbg(dev, "Free MAC index is %d\n", free);
if (table->total == table->max) {
--
2.34.1
Powered by blists - more mailing lists