lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20121126204722.GA26463@elgon.mountain>
Date:	Mon, 26 Nov 2012 23:47:22 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	steve.glendinning@...well.net
Cc:	netdev@...r.kernel.org
Subject: re: smsc95xx: detect chip revision specific features

Hello Steve Glendinning,

The patch 9ebca5071c86: "smsc95xx: detect chip revision specific 
features" from Nov 22, 2012, leads to the following warning:
drivers/net/usb/smsc95xx.c:1349 smsc95xx_suspend()
	 error: buffer overflow 'filter_mask' 8 <= 31

drivers/net/usb/smsc95xx.c
  1283          if (pdata->wolopts & (WAKE_BCAST | WAKE_MCAST | WAKE_ARP | WAKE_UCAST)) {
  1284                  u32 *filter_mask = kzalloc(32, GFP_KERNEL);
                                                   ^^
We allocate 8 unsigned 32 bit values.  I think this is the mistake here
actually.  It is a typo and should say:

			u32 *filter_mask = kzalloc(sizeof(u32) * 32, GFP_KERNEL);

If 8 elements was the intent then that's nasty.

  1285                  u32 command[2];
  1286                  u32 offset[2];
  1287                  u32 crc[4];
  1288                  int wuff_filter_count =
  1289                          (pdata->features & FEATURE_8_WAKEUP_FILTERS) ?
  1290                          LAN9500A_WUFF_NUM : LAN9500_WUFF_NUM;

LAN9500A_WUFF_NUM is 8.  LAN9500_WUFF_NUM is 4.

  1291                  int i, filter = 0;
  1292  

[snip]

  1348                  for (i = 0; i < (wuff_filter_count * 4); i++) {
                                         ^^^^^^^^^^^^^^^^^^^^^

We are either counting to 15 or 31, and both are more that 8.

  1349                          ret = smsc95xx_write_reg_nopm(dev, WUFF, filter_mask[i]);
                                                                         ^^^^^^^^^^^^^^
So we're going past the end of the 8 element array.

  1350                          if (ret < 0)
  1351                                  kfree(filter_mask);
  1352                          check_warn_return(ret, "Error writing WUFF\n");
  1353                  }

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ