lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20260130072939.1535869-1-rdunlap@infradead.org>
Date: Thu, 29 Jan 2026 23:29:37 -0800
From: Randy Dunlap <rdunlap@...radead.org>
To: linux-kernel@...r.kernel.org
Cc: Randy Dunlap <rdunlap@...radead.org>,
	Ahelenia Ziemiańska <nabijaczleweli@...ijaczleweli.xyz>,
	Hendrik Brueckner <brueckner@...ux.vnet.ibm.com>,
	linuxppc-dev@...ts.ozlabs.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jiri Slaby <jirislaby@...nel.org>,
	linux-serial@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	"Borislav Petkov (AMD)" <bp@...en8.de>
Subject: [PATCH] tty: hvc_iucv: fix off-by-one in number of supported devices

MAX_HVC_IUCV_LINES == HVC_ALLOC_TTY_ADAPTERS == 8.
This is the number of entries in:
  static struct hvc_iucv_private *hvc_iucv_table[MAX_HVC_IUCV_LINES];

Sometimes hvc_iucv_table[] is limited by:
(a)	if (num > hvc_iucv_devices) // for error detection
or
(b)	for (i = 0; i < hvc_iucv_devices; i++) // in 2 places
(so these 2 don't agree; second one appears to be correct to me.)

hvc_iucv_devices can be 0..8. This is a counter.
(c)	if (hvc_iucv_devices > MAX_HVC_IUCV_LINES)

If hvc_iucv_devices == 8, (a) allows the code to access hvc_iucv_table[8].
Oops.

Fixes: 44a01d5ba8a4 ("[S390] s390/hvc_console: z/VM IUCV hypervisor console support")
Signed-off-by: Randy Dunlap <rdunlap@...radead.org>
---
No, I haven't seen an issue with this out in the wild.

Cc: Ahelenia Ziemiańska <nabijaczleweli@...ijaczleweli.xyz>
Cc: Hendrik Brueckner <brueckner@...ux.vnet.ibm.com>
Cc: linuxppc-dev@...ts.ozlabs.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Jiri Slaby <jirislaby@...nel.org>
Cc: linux-serial@...r.kernel.org
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: "Borislav Petkov (AMD)" <bp@...en8.de>

 drivers/tty/hvc/hvc_iucv.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-next-20260128.orig/drivers/tty/hvc/hvc_iucv.c
+++ linux-next-20260128/drivers/tty/hvc/hvc_iucv.c
@@ -130,7 +130,7 @@ static struct iucv_handler hvc_iucv_hand
  */
 static struct hvc_iucv_private *hvc_iucv_get_private(uint32_t num)
 {
-	if (num > hvc_iucv_devices)
+	if (num >= hvc_iucv_devices)
 		return NULL;
 	return hvc_iucv_table[num];
 }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ