github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
71e284dceb
linux/drivers
History
Teng Qi 40e35c7744 net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 
[ Upstream commit 0fa68da72c ]

The definition of macro MOTO_SROM_BUG is:
  #define MOTO_SROM_BUG    (lp->active == 8 && (get_unaligned_le32(
  dev->dev_addr) & 0x00ffffff) == 0x3e0008)

and the if statement
  if (MOTO_SROM_BUG) lp->active = 0;

using this macro indicates lp->active could be 8. If lp->active is 8 and
the second comparison of this macro is false. lp->active will remain 8 in:
  lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].mc  = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].mci = *p;

However, the length of array lp->phy is 8, so array overflows can occur.
To fix these possible array overflows, we first check lp->active and then
return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8).

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-12-08 09:04:40 +01:00
..
accessibility
acpi ACPI: CPPC: Add NULL pointer check to cppc_get_perf() 2021-12-01 09:04:38 +01:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:13:31 +01:00
android binder: fix test regression due to sender_euid change 2021-12-01 09:04:40 +01:00
ata ata: libahci: Adjust behavior when StorageD3Enable _DSD is set 2021-12-08 09:04:40 +01:00
atm
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 19:17:02 +01:00
base firmware_loader: fix pre-allocated buf built-in firmware use 2021-11-25 09:48:27 +01:00
bcma Driver core update for 5.15-rc1 2021-09-01 08:44:42 -07:00
block loop: Use blk_validate_block_size() to validate block size 2021-11-21 13:44:13 +01:00
bluetooth Bluetooth: btusb: Add support for TP-Link UB500 Adapter 2021-11-21 13:44:13 +01:00
bus bus: ti-sysc: Use context lost quirk for otg 2021-11-25 09:48:25 +01:00
cdrom
char ipmi: kcs_bmc: Fix a memory leak in the error handling path of 'kcs_bmc_serio_add_device()' 2021-11-18 19:16:44 +01:00
clk clk: qcom: gcc-msm8996: Drop (again) gcc_aggre1_pnoc_ahb_clk 2021-11-25 09:48:32 +01:00
clocksource clocksource/drivers/timer-ti-dm: Select TIMER_OF 2021-11-18 19:16:39 +01:00
comedi comedi: vmk80xx: fix bulk and interrupt message timeouts 2021-11-12 15:05:51 +01:00
connector
counter
cpufreq cpufreq: intel_pstate: Add Ice Lake server to out-of-band IDs 2021-12-01 09:04:51 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 19:16:29 +01:00
crypto crypto: octeontx2 - set assoclen in aead_do_fallback() 2021-11-18 19:16:33 +01:00
cxl cxl/pci: Fix NULL vs ERR_PTR confusion 2021-11-18 19:16:04 +01:00
dax libnvdimm for v5.15 2021-09-09 11:39:57 -07:00
dca
devfreq devfreq: use HZ macros 2021-09-08 11:50:26 -07:00
dio
dma dmaengine: remove debugfs #ifdef 2021-11-25 09:48:41 +01:00
dma-buf dma-buf: WARN on dmabuf release with pending attachments 2021-11-18 19:16:08 +01:00
edac EDAC/amd64: Handle three rank interleaving mode 2021-11-18 19:16:30 +01:00
eisa
extcon
firewire FireWire (IEEE 1394) subsystem updates: 2021-09-11 09:47:33 -07:00
firmware firmware: arm_scmi: Fix type error in sensor protocol 2021-12-01 09:04:56 +01:00
fpga fpga: ice40-spi: Add SPI device ID table 2021-09-27 14:00:41 -07:00
fsi
gnss
gpio gpio: rockchip: needs GENERIC_IRQ_CHIP to fix build errors 2021-11-25 09:48:36 +01:00
gpu drm/amd/amdgpu: fix potential memleak 2021-12-08 09:04:39 +01:00
greybus
hid HID: magicmouse: prevent division by 0 on scroll 2021-12-01 09:04:48 +01:00
hsi
hv Drivers: hv: balloon: Use VMBUS_RING_SIZE() wrapper for dm_ring_size 2021-11-25 09:48:46 +01:00
hwmon hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff 2021-11-18 19:16:32 +01:00
hwspinlock
hwtracing coresight: trbe: Defer the probe on offline CPUs 2021-11-18 19:16:06 +01:00
i2c i2c: virtio: disable timeout handling 2021-12-01 09:04:50 +01:00
i3c
idle
iio iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr() 2021-11-25 09:48:29 +01:00
infiniband RDMA/mlx4: Do not fail the registration on port stats 2021-11-25 09:48:39 +01:00
input Input: st1232 - increase "wait ready" timeout 2021-11-18 19:17:01 +01:00
interconnect interconnect: qcom: sdm660: Add missing a2noc qos clocks 2021-09-13 15:49:55 +03:00
iommu iommu/amd: Clarify AMD IOMMUv2 initialization messages 2021-12-01 09:04:55 +01:00
ipack ipack: ipoctal: fix module reference leak 2021-09-27 17:38:49 +02:00
irqchip irqchip/sifive-plic: Fixup EOI failed when masked 2021-11-18 19:17:14 +01:00
isdn mISDN: Fix return values of the probe function 2021-10-19 13:09:28 +01:00
leds
macintosh memblock: introduce saner 'memblock_free_ptr()' interface 2021-09-14 13:23:22 -07:00
mailbox mailbox: mtk-cmdq: Fix local clock ID usage 2021-11-18 19:16:35 +01:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-14 11:22:26 +02:00
md bcache: Revert "bcache: use bvec_virt" 2021-11-18 19:17:17 +01:00
media media: v4l2-core: fix VIDIOC_DQEVENT handling on non-x86 2021-12-01 09:04:45 +01:00
memory memory: tegra20-emc: Add runtime dependency on devfreq governor module 2021-11-25 09:48:30 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 19:16:32 +01:00
message
mfd mfd: dln2: Add cell for initializing DLN2 ADC 2021-11-18 19:17:17 +01:00
misc eeprom: 93xx46: fix MODULE_DEVICE_TABLE 2021-10-15 10:54:02 +02:00
mmc mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB 2021-12-01 09:04:43 +01:00
most most: fix control-message timeouts 2021-11-18 19:16:08 +01:00
mtd mtd: rawnand: au1550nd: Keep the driver compatible with on-die ECC engines 2021-11-18 19:17:19 +01:00
mux
net net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 2021-12-08 09:04:40 +01:00
nfc nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-18 19:17:10 +01:00
ntb Bug fixes and clean-ups for Linux v5.15 2021-09-07 13:05:02 -07:00
nubus
nvdimm nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned 2021-11-18 19:17:07 +01:00
nvme nvmet: use IOCB_NOWAIT only if the filesystem supports it 2021-12-01 09:04:52 +01:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-13 15:09:58 +02:00
of of: unittest: fix EXPECT text for gpio hog errors 2021-11-18 19:16:45 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 19:17:00 +01:00
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-09 12:44:31 +02:00
parport parisc architecture updates for kernel 5.15: 2021-09-02 13:16:00 -07:00
pci PCI: aardvark: Fix link training 2021-12-01 09:04:44 +01:00
pcmcia
perf KVM: arm64: Fix PMU probe ordering 2021-09-20 12:43:34 +01:00
phy phy: Sparx5 Eth SerDes: Fix return value check in sparx5_serdes_probe() 2021-11-18 19:16:56 +01:00
pinctrl pinctrl: qcom: fix unmet dependencies on GPIOLIB for GPIOLIB_IRQCHIP 2021-12-08 09:04:38 +01:00
platform platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep 2021-12-08 09:04:38 +01:00
pnp
power power: supply: bq27xxx: Fix kernel crash on IRQ handler register error 2021-11-18 19:16:58 +01:00
powercap
pps
ps3
ptp ptp: ocp: Fix a couple NULL vs IS_ERR() checks 2021-11-25 09:48:40 +01:00
pwm pwm: mtk-disp: Implement atomic API .get_state() 2021-09-02 22:27:46 +02:00
rapidio
ras
regulator regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled 2021-11-18 19:15:57 +01:00
remoteproc remoteproc: imx_rproc: Fix rsc-table name 2021-11-18 19:17:18 +01:00
reset reset: socfpga: add empty driver allowing consumers to probe 2021-10-05 12:23:16 +02:00
rpmsg
rtc rtc: rv3032: fix error handling in rv3032_clkout_set_rate() 2021-11-18 19:17:01 +01:00
s390 s390/cio: make ccw_device_dma_* more robust 2021-11-18 19:17:18 +01:00
sbus
scsi scsi: iscsi: Unblock session then wake up error handler 2021-12-08 09:04:39 +01:00
sh maple: fix wrong return value of maple_bus_init(). 2021-11-25 09:48:31 +01:00
siox
slimbus Driver core update for 5.15-rc1 2021-09-01 08:44:42 -07:00
soc soc: fsl: dpaa2-console: free buffer before returning from dpaa2_console_read 2021-11-18 19:17:02 +01:00
soundwire soundwire: bus: stop dereferencing invalid slave pointer 2021-11-18 19:16:54 +01:00
spi spi: fix use-after-free of the add_lock mutex 2021-11-25 09:48:46 +01:00
spmi
ssb
staging staging: r8188eu: fix a memory leak in rtw_wx_read32() 2021-12-01 09:04:41 +01:00
target scsi: target: Fix alua_tg_pt_gps_count tracking 2021-11-25 09:48:29 +01:00
tc
tee tee: optee: Fix missing devices unregister during optee_remove 2021-10-12 13:24:39 +02:00
thermal thermal: core: Reset previous low and high trip during thermal zone init 2021-12-08 09:04:39 +01:00
thunderbolt thunderbolt: build kunit tests without structleak plugin 2021-10-06 17:53:49 -06:00
tty tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc 2021-11-25 09:48:28 +01:00
uio
usb usb: hub: Fix locking issues with address0_mutex 2021-12-01 09:04:40 +01:00
vdpa vdpa_sim: avoid putting an uninitialized iova_domain 2021-12-01 09:04:55 +01:00
vfio vfio/pci: add missing identifier name in argument of function prototype 2021-09-23 14:12:36 -06:00
vhost vhost/vsock: fix incorrect used length reported to the guest 2021-12-01 09:04:55 +01:00
video parisc/sticon: fix reverse colors 2021-11-25 09:48:46 +01:00
virt
virtio virtio_ring: check desc == NULL when using indirect with packed 2021-11-18 19:16:58 +01:00
visorbus
vlynq
vme
w1
watchdog ar7: fix kernel builds for compiler test 2021-11-18 19:17:03 +01:00
xen xen: detect uninitialized xenbus in xenbus_init 2021-12-01 09:04:42 +01:00
zorro
Kconfig firmware: include drivers/firmware/Kconfig unconditionally 2021-10-07 16:51:26 +02:00
Makefile