mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 16:18:45 +02:00
e47029b977
Sashiko noticed an out-of-bounds read [1].
In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).
Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.
Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.
Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.
Cc: stable@vger.kernel.org
Fixes:
|
||
|---|---|---|
| .. | ||
| controllers | ||
| atmel.c | ||
| core.c | ||
| core.h | ||
| debugfs.c | ||
| eon.c | ||
| esmt.c | ||
| everspin.c | ||
| gigadevice.c | ||
| intel.c | ||
| issi.c | ||
| Kconfig | ||
| macronix.c | ||
| Makefile | ||
| micron-st.c | ||
| otp.c | ||
| sfdp.c | ||
| sfdp.h | ||
| spansion.c | ||
| sst.c | ||
| swp.c | ||
| sysfs.c | ||
| winbond.c | ||
| xmc.c | ||