github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
275827a7dc
linux/drivers
History
Teng Qi 40e35c7744 net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 
[ Upstream commit 0fa68da72c ]

The definition of macro MOTO_SROM_BUG is:
  #define MOTO_SROM_BUG    (lp->active == 8 && (get_unaligned_le32(
  dev->dev_addr) & 0x00ffffff) == 0x3e0008)

and the if statement
  if (MOTO_SROM_BUG) lp->active = 0;

using this macro indicates lp->active could be 8. If lp->active is 8 and
the second comparison of this macro is false. lp->active will remain 8 in:
  lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].mc  = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].mci = *p;

However, the length of array lp->phy is 8, so array overflows can occur.
To fix these possible array overflows, we first check lp->active and then
return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8).

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-12-08 09:04:40 +01:00
..
accessibility
acpi ACPI: CPPC: Add NULL pointer check to cppc_get_perf() 2021-12-01 09:04:38 +01:00
amba
android binder: fix test regression due to sender_euid change 2021-12-01 09:04:40 +01:00
ata ata: libahci: Adjust behavior when StorageD3Enable _DSD is set 2021-12-08 09:04:40 +01:00
atm
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 19:17:02 +01:00
base firmware_loader: fix pre-allocated buf built-in firmware use 2021-11-25 09:48:27 +01:00
bcma
block loop: Use blk_validate_block_size() to validate block size 2021-11-21 13:44:13 +01:00
bluetooth Bluetooth: btusb: Add support for TP-Link UB500 Adapter 2021-11-21 13:44:13 +01:00
bus bus: ti-sysc: Use context lost quirk for otg 2021-11-25 09:48:25 +01:00
cdrom
char ipmi: kcs_bmc: Fix a memory leak in the error handling path of 'kcs_bmc_serio_add_device()' 2021-11-18 19:16:44 +01:00
clk clk: qcom: gcc-msm8996: Drop (again) gcc_aggre1_pnoc_ahb_clk 2021-11-25 09:48:32 +01:00
clocksource clocksource/drivers/timer-ti-dm: Select TIMER_OF 2021-11-18 19:16:39 +01:00
comedi
connector
counter
cpufreq cpufreq: intel_pstate: Add Ice Lake server to out-of-band IDs 2021-12-01 09:04:51 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 19:16:29 +01:00
crypto crypto: octeontx2 - set assoclen in aead_do_fallback() 2021-11-18 19:16:33 +01:00
cxl
dax
dca
devfreq
dio
dma dmaengine: remove debugfs #ifdef 2021-11-25 09:48:41 +01:00
dma-buf
edac EDAC/amd64: Handle three rank interleaving mode 2021-11-18 19:16:30 +01:00
eisa
extcon
firewire
firmware firmware: arm_scmi: Fix type error in sensor protocol 2021-12-01 09:04:56 +01:00
fpga
fsi
gnss
gpio gpio: rockchip: needs GENERIC_IRQ_CHIP to fix build errors 2021-11-25 09:48:36 +01:00
gpu drm/amd/amdgpu: fix potential memleak 2021-12-08 09:04:39 +01:00
greybus
hid HID: magicmouse: prevent division by 0 on scroll 2021-12-01 09:04:48 +01:00
hsi
hv Drivers: hv: balloon: Use VMBUS_RING_SIZE() wrapper for dm_ring_size 2021-11-25 09:48:46 +01:00
hwmon hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff 2021-11-18 19:16:32 +01:00
hwspinlock
hwtracing
i2c i2c: virtio: disable timeout handling 2021-12-01 09:04:50 +01:00
i3c
idle
iio iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr() 2021-11-25 09:48:29 +01:00
infiniband RDMA/mlx4: Do not fail the registration on port stats 2021-11-25 09:48:39 +01:00
input Input: st1232 - increase "wait ready" timeout 2021-11-18 19:17:01 +01:00
interconnect
iommu iommu/amd: Clarify AMD IOMMUv2 initialization messages 2021-12-01 09:04:55 +01:00
ipack
irqchip irqchip/sifive-plic: Fixup EOI failed when masked 2021-11-18 19:17:14 +01:00
isdn
leds
macintosh
mailbox mailbox: mtk-cmdq: Fix local clock ID usage 2021-11-18 19:16:35 +01:00
mcb
md bcache: Revert "bcache: use bvec_virt" 2021-11-18 19:17:17 +01:00
media media: v4l2-core: fix VIDIOC_DQEVENT handling on non-x86 2021-12-01 09:04:45 +01:00
memory memory: tegra20-emc: Add runtime dependency on devfreq governor module 2021-11-25 09:48:30 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 19:16:32 +01:00
message
mfd mfd: dln2: Add cell for initializing DLN2 ADC 2021-11-18 19:17:17 +01:00
misc
mmc mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB 2021-12-01 09:04:43 +01:00
most
mtd mtd: rawnand: au1550nd: Keep the driver compatible with on-die ECC engines 2021-11-18 19:17:19 +01:00
mux
net net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 2021-12-08 09:04:40 +01:00
nfc nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-18 19:17:10 +01:00
ntb
nubus
nvdimm nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned 2021-11-18 19:17:07 +01:00
nvme nvmet: use IOCB_NOWAIT only if the filesystem supports it 2021-12-01 09:04:52 +01:00
nvmem
of of: unittest: fix EXPECT text for gpio hog errors 2021-11-18 19:16:45 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 19:17:00 +01:00
parisc
parport
pci PCI: aardvark: Fix link training 2021-12-01 09:04:44 +01:00
pcmcia
perf
phy phy: Sparx5 Eth SerDes: Fix return value check in sparx5_serdes_probe() 2021-11-18 19:16:56 +01:00
pinctrl pinctrl: qcom: fix unmet dependencies on GPIOLIB for GPIOLIB_IRQCHIP 2021-12-08 09:04:38 +01:00
platform platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep 2021-12-08 09:04:38 +01:00
pnp
power power: supply: bq27xxx: Fix kernel crash on IRQ handler register error 2021-11-18 19:16:58 +01:00
powercap
pps
ps3
ptp ptp: ocp: Fix a couple NULL vs IS_ERR() checks 2021-11-25 09:48:40 +01:00
pwm
rapidio
ras
regulator
remoteproc remoteproc: imx_rproc: Fix rsc-table name 2021-11-18 19:17:18 +01:00
reset
rpmsg
rtc rtc: rv3032: fix error handling in rv3032_clkout_set_rate() 2021-11-18 19:17:01 +01:00
s390 s390/cio: make ccw_device_dma_* more robust 2021-11-18 19:17:18 +01:00
sbus
scsi scsi: iscsi: Unblock session then wake up error handler 2021-12-08 09:04:39 +01:00
sh maple: fix wrong return value of maple_bus_init(). 2021-11-25 09:48:31 +01:00
siox
slimbus
soc soc: fsl: dpaa2-console: free buffer before returning from dpaa2_console_read 2021-11-18 19:17:02 +01:00
soundwire soundwire: bus: stop dereferencing invalid slave pointer 2021-11-18 19:16:54 +01:00
spi spi: fix use-after-free of the add_lock mutex 2021-11-25 09:48:46 +01:00
spmi
ssb
staging staging: r8188eu: fix a memory leak in rtw_wx_read32() 2021-12-01 09:04:41 +01:00
target scsi: target: Fix alua_tg_pt_gps_count tracking 2021-11-25 09:48:29 +01:00
tc
tee
thermal thermal: core: Reset previous low and high trip during thermal zone init 2021-12-08 09:04:39 +01:00
thunderbolt
tty tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc 2021-11-25 09:48:28 +01:00
uio
usb usb: hub: Fix locking issues with address0_mutex 2021-12-01 09:04:40 +01:00
vdpa vdpa_sim: avoid putting an uninitialized iova_domain 2021-12-01 09:04:55 +01:00
vfio
vhost vhost/vsock: fix incorrect used length reported to the guest 2021-12-01 09:04:55 +01:00
video parisc/sticon: fix reverse colors 2021-11-25 09:48:46 +01:00
virt
virtio virtio_ring: check desc == NULL when using indirect with packed 2021-11-18 19:16:58 +01:00
visorbus
vlynq
vme
w1
watchdog ar7: fix kernel builds for compiler test 2021-11-18 19:17:03 +01:00
xen xen: detect uninitialized xenbus in xenbus_init 2021-12-01 09:04:42 +01:00
zorro
Kconfig
Makefile