| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 09 Sep 2013 01:39:15 +0200
From: Marc Weber <marco-oweber@....de>
To: netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
"David S. Miller" <davem@...emloft.net>,
Jiri Kosina <jkosina@...e.cz>
Subject: drivers/net/ethernet/nvidia/forcedeth.c saved_config_space[size] access patch
1) VER3 and _MAX are of same size:
#define NV_PCI_REGSZ_VER3 0x604
#define NV_PCI_REGSZ_MAX 0x604
2) It looks like there is a case where VER3 get's assigned to
register_size:
if (id->driver_data &
(DEV_HAS_VLAN|DEV_HAS_MSI_X|DEV_HAS_POWER_CNTRL|DEV_HAS_STATISTICS_V2|DEV_HAS_STATISTICS_V
np->register_size = NV_PCI_REGSZ_VER3;
3) the definition of saved_config_space is MAX divided by 4 (size of u32)
struct fe_priv {
[...]
u32 saved_config_space[NV_PCI_REGSZ_MAX/4]
4) This doesn't stop loop at [size-1]:
Thus there is the risk that it overrides the field after
saved_config_space. If that's desired behaviour at least a comment
is missing IMHO:
for (i = 0; i <= np->register_size/sizeof(u32); i++)
np->saved_config_space[i] = readl(base + i*sizeof(u32));
Such for loop is used twice in forcedeth.c
Patch againstn 4de9ad9bc08 (Fri Sep 6 11:14:33) attached fixing both
using < instead of <=.
If you think I've hit a small bug just fix and commit.
I don't care much about my ownership of this patch.
I didn't test this patch because I don't have the hardware and I think
its a trivial case.
Marc Weber
Download attachment "0001-forcedepth-fix-possible-out-of-bounds-access.patch" of type "application/octet-stream" (1205 bytes)
Powered by blists - more mailing lists