From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Teng Qi <starmiku1207184332@gmail.com>,
TOTE Robot <oslab@tsinghua.edu.cn>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
yisen.zhuang@huawei.com, salil.mehta@huawei.com, kuba@kernel.org,
huangguangbin2@huawei.com, lipeng321@huawei.com,
tanhuazhong@huawei.com, shenyang39@huawei.com,
zhengyongjun3@huawei.com, liuyonglong@huawei.com,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 12/15] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Date: Thu, 25 Nov 2021 21:35:30 -0500 [thread overview]
Message-ID: <20211126023533.442895-12-sashal@kernel.org> (raw)
In-Reply-To: <20211126023533.442895-1-sashal@kernel.org>
From: Teng Qi <starmiku1207184332@gmail.com>
[ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ]
The if statement:
if (port >= DSAF_GE_NUM)
return;
limits the value of port less than DSAF_GE_NUM (i.e., 8).
However, if the value of port is 6 or 7, an array overflow could occur:
port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).
To fix this possible array overflow, we first check port and if it is
greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
index 16294cd3c9545..4ceacb1c154dc 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
@@ -402,6 +402,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
return;
if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
+ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
+ We need check to prevent array overflow */
+ if (port >= DSAF_MAX_PORT_NUM)
+ return;
reg_val_1 = 0x1 << port;
port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
/* there is difference between V1 and V2 in register.*/
--
2.33.0
next prev parent reply other threads:[~2021-11-26 2:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-26 2:35 [PATCH AUTOSEL 4.19 01/15] gfs2: Fix length of holes reported at end-of-file Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 02/15] tun: fix bonding active backup with arp monitoring Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 03/15] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 04/15] net: return correct error code Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 05/15] pinctrl: amd: Fix wakeups when IRQ is shared with SCI Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 06/15] platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 07/15] s390/setup: avoid using memblock_enforce_memory_limit Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 08/15] btrfs: check-integrity: fix a warning on write caching disabled disk Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 09/15] thermal: core: Reset previous low and high trip during thermal zone init Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 10/15] scsi: iscsi: Unblock session then wake up error handler Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 11/15] ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile Sasha Levin
2021-11-26 2:35 ` Sasha Levin [this message]
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 13/15] net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 14/15] net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() Sasha Levin
2021-11-26 2:35 ` [PATCH AUTOSEL 4.19 15/15] perf hist: Fix memory leak of a perf_hpp_fmt Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211126023533.442895-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=huangguangbin2@huawei.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lipeng321@huawei.com \
--cc=liuyonglong@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=oslab@tsinghua.edu.cn \
--cc=salil.mehta@huawei.com \
--cc=shenyang39@huawei.com \
--cc=stable@vger.kernel.org \
--cc=starmiku1207184332@gmail.com \
--cc=tanhuazhong@huawei.com \
--cc=yisen.zhuang@huawei.com \
--cc=zhengyongjun3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox