lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Nov 2021 21:33:37 -0500 From: Sasha Levin <sashal@...nel.org> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org Cc: Teng Qi <starmiku1207184332@...il.com>, TOTE Robot <oslab@...nghua.edu.cn>, "David S . Miller" <davem@...emloft.net>, Sasha Levin <sashal@...nel.org>, yisen.zhuang@...wei.com, salil.mehta@...wei.com, kuba@...nel.org, huangguangbin2@...wei.com, lipeng321@...wei.com, zhengyongjun3@...wei.com, shenyang39@...wei.com, liuyonglong@...wei.com, netdev@...r.kernel.org Subject: [PATCH AUTOSEL 5.10 22/28] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() From: Teng Qi <starmiku1207184332@...il.com> [ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ] The if statement: if (port >= DSAF_GE_NUM) return; limits the value of port less than DSAF_GE_NUM (i.e., 8). However, if the value of port is 6 or 7, an array overflow could occur: port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6). To fix this possible array overflow, we first check port and if it is greater than or equal to DSAF_MAX_PORT_NUM, the function returns. Reported-by: TOTE Robot <oslab@...nghua.edu.cn> Signed-off-by: Teng Qi <starmiku1207184332@...il.com> Signed-off-by: David S. Miller <davem@...emloft.net> Signed-off-by: Sasha Levin <sashal@...nel.org> --- drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c index a9aca8c24e90d..aa87e4d121532 100644 --- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c +++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c @@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port, return; if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) { + /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8. + We need check to prevent array overflow */ + if (port >= DSAF_MAX_PORT_NUM) + return; reg_val_1 = 0x1 << port; port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; /* there is difference between V1 and V2 in register.*/ -- 2.33.0
Powered by blists - more mailing lists