AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
d9b72274f3
kernel_optimize_test/drivers
History
Teng Qi 2c15d2a6ba net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 
[ Upstream commit 0fa68da72c3be09e06dd833258ee89c33374195f ]

The definition of macro MOTO_SROM_BUG is:
  #define MOTO_SROM_BUG    (lp->active == 8 && (get_unaligned_le32(
  dev->dev_addr) & 0x00ffffff) == 0x3e0008)

and the if statement
  if (MOTO_SROM_BUG) lp->active = 0;

using this macro indicates lp->active could be 8. If lp->active is 8 and
the second comparison of this macro is false. lp->active will remain 8 in:
  lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
  lp->phy[lp->active].mc  = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2;
  lp->phy[lp->active].mci = *p;

However, the length of array lp->phy is 8, so array overflows can occur.
To fix these possible array overflows, we first check lp->active and then
return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8).

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-12-08 09:03:20 +01:00
..
accessibility
acpi ACPI: Get acpi_device's parent from the parent field 2021-12-01 09:18:58 +01:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:10:09 +01:00
android binder: fix test regression due to sender_euid change 2021-12-01 09:18:59 +01:00
ata ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile 2021-12-08 09:03:19 +01:00
atm atm: nicstar: register the interrupt handler in the right place 2021-07-19 09:44:52 +02:00
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 14:04:24 +01:00
base firmware_loader: fix pre-allocated buf built-in firmware use 2021-11-26 10:39:10 +01:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-15 09:50:45 +02:00
block xen/blkfront: don't trust the backend response data blindly 2021-12-01 09:19:09 +01:00
bluetooth Bluetooth: btmtkuart: fix a memleak in mtk_hci_wmt_sync 2021-11-18 14:04:03 +01:00
bus bus: ti-sysc: Use context lost quirk for otg 2021-11-26 10:39:08 +01:00
cdrom
char tpm_tis_spi: Add missing SPI ID 2021-11-18 14:04:11 +01:00
clk clk: qcom: gcc-msm8996: Drop (again) gcc_aggre1_pnoc_ahb_clk 2021-11-26 10:39:13 +01:00
clocksource clocksource/drivers/timer-ti-dm: Select TIMER_OF 2021-11-18 14:04:09 +01:00
connector
counter counter: 104-quad-8: Return error when invalid mode during ceiling_write 2021-09-15 09:50:38 +02:00
cpufreq cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory 2021-10-06 15:55:46 +02:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 14:04:05 +01:00
crypto crypto: qat - disregard spurious PFVF interrupts 2021-11-18 14:04:06 +01:00
dax
dca
devfreq
dio
dma dmaengine: dmaengine_desc_callback_valid(): Check for callback_result 2021-11-18 14:04:24 +01:00
dma-buf dma-buf: WARN on dmabuf release with pending attachments 2021-11-18 14:03:52 +01:00
edac EDAC/amd64: Handle three rank interleaving mode 2021-11-18 14:04:06 +01:00
eisa
extcon extcon: intel-mrfld: Sync hardware and software state on init 2021-07-19 09:45:00 +02:00
firewire
firmware firmware: smccc: Fix check for ARCH_SOC_ID not implemented 2021-12-01 09:19:04 +01:00
fpga fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() 2021-09-30 10:11:04 +02:00
fsi fsi: Add missing MODULE_DEVICE_TABLE 2021-07-20 16:05:42 +02:00
gnss
gpio gpio: mlxbf2.c: Add check for bgpio_init failure 2021-11-18 14:03:42 +01:00
gpu drm/amd/amdgpu: fix potential memleak 2021-12-08 09:03:19 +01:00
greybus
hid HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts 2021-12-01 09:19:00 +01:00
hsi
hv hyperv/vmbus: include linux/bitops.h 2021-11-18 14:03:42 +01:00
hwmon hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff 2021-11-18 14:04:07 +01:00
hwspinlock
hwtracing coresight: cti: Correct the parameter for pm_runtime_put 2021-11-18 14:03:51 +01:00
i2c i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()' 2021-11-18 14:04:25 +01:00
i3c
ide
idle
iio iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr() 2021-11-26 10:39:11 +01:00
infiniband RDMA/bnxt_re: Check if the vlan is valid before reporting 2021-11-26 10:39:08 +01:00
input Input: i8042 - Add quirk for Fujitsu Lifebook T725 2021-11-18 14:03:36 +01:00
interconnect treewide: Change list_sort to use const pointers 2021-09-30 10:11:04 +02:00
iommu iommu/amd: Clarify AMD IOMMUv2 initialization messages 2021-12-01 09:19:09 +01:00
ipack ipack: ipoctal: fix module reference leak 2021-10-06 15:56:01 +02:00
irqchip irqchip/sifive-plic: Fixup EOI failed when masked 2021-11-18 14:04:29 +01:00
isdn mISDN: Fix return values of the probe function 2021-11-18 14:03:41 +01:00
leds leds: trigger: audio: Add an activate callback to ensure the initial brightness is set 2021-09-15 09:50:36 +02:00
lightnvm
macintosh
mailbox soc: mediatek: cmdq: add address shift in jump 2021-09-18 13:40:16 +02:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-30 10:11:00 +02:00
md md: update superblock after changing rdev flags in state_store 2021-11-18 14:03:57 +01:00
media media: cec: copy sequence field for the reply 2021-12-01 09:19:00 +01:00
memory memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe 2021-11-18 14:04:16 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 14:04:07 +01:00
message
mfd mfd: dln2: Add cell for initializing DLN2 ADC 2021-11-18 14:04:30 +01:00
misc misc: fastrpc: Add missing lock before accessing find_vma() 2021-10-20 11:45:01 +02:00
mmc mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB 2021-12-01 09:19:01 +01:00
most most: fix control-message timeouts 2021-11-18 14:03:51 +01:00
mtd mtd: rawnand: au1550nd: Keep the driver compatible with on-die ECC engines 2021-11-18 14:04:31 +01:00
mux
net net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 2021-12-08 09:03:20 +01:00
nfc nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-18 14:04:27 +01:00
ntb NTB: perf: Fix an error code in perf_setup_inbuf() 2021-09-22 12:28:02 +02:00
nubus
nvdimm libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind 2021-09-18 13:40:36 +02:00
nvme nvmet: use IOCB_NOWAIT only if the filesystem supports it 2021-12-01 09:19:07 +01:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-20 11:45:01 +02:00
of of: unittest: fix EXPECT text for gpio hog errors 2021-11-18 14:04:13 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 14:04:22 +01:00
oprofile
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-26 14:08:59 +02:00
parport parport: remove non-zero check on count 2021-09-18 13:40:34 +02:00
pci PCI: aardvark: Fix link training 2021-12-01 09:19:02 +01:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-08-12 13:22:16 +02:00
perf
phy phy: qcom-snps: Correct the FSEL_MASK 2021-11-18 14:04:20 +01:00
pinctrl pinctrl: qcom: sdm845: Enable dual edge errata 2021-11-26 10:39:18 +01:00
platform platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep 2021-12-08 09:03:19 +01:00
pnp
power power: supply: bq27xxx: Fix kernel crash on IRQ handler register error 2021-11-18 14:04:21 +01:00
powercap
pps
ps3
ptp ptp_pch: Load module automatically if ID matches 2021-10-13 10:04:27 +02:00
pwm pwm: stm32-lp: Don't modify HW state in .remove() callback 2021-09-26 14:09:01 +02:00
rapidio
ras
regulator regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled 2021-11-18 14:03:45 +01:00
remoteproc remoteproc: Fix a memory leak in an error handling path in 'rproc_handle_vdev()' 2021-11-18 14:04:23 +01:00
reset reset: socfpga: add empty driver allowing consumers to probe 2021-11-18 14:03:42 +01:00
rpmsg
rtc rtc: rv3032: fix error handling in rv3032_clkout_set_rate() 2021-11-18 14:04:23 +01:00
s390 s390/cio: make ccw_device_dma_* more robust 2021-11-18 14:04:30 +01:00
sbus
scsi scsi: iscsi: Unblock session then wake up error handler 2021-12-08 09:03:19 +01:00
sfi
sh maple: fix wrong return value of maple_bus_init(). 2021-11-26 10:39:12 +01:00
siox
slimbus slimbus: ngd: reset dma setup during runtime pm 2021-08-26 08:35:55 -04:00
soc soc/tegra: pmc: Fix imbalanced clock disabling in error code path 2021-11-18 14:04:33 +01:00
soundwire soundwire: debugfs: use controller id and link_id for debugfs 2021-11-18 14:04:16 +01:00
spi spi: spi-rpc-if: Check return value of rpcif_sw_init() 2021-11-18 14:04:11 +01:00
spmi
ssb
staging staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() 2021-12-01 09:19:00 +01:00
target scsi: target: Fix alua_tg_pt_gps_count tracking 2021-11-26 10:39:11 +01:00
tc
tee tee: optee: Fix missing devices unregister during optee_remove 2021-10-20 11:45:02 +02:00
thermal thermal: core: Reset previous low and high trip during thermal zone init 2021-12-08 09:03:19 +01:00
thunderbolt thunderbolt: Fix port linking by checking all adapters 2021-09-18 13:40:27 +02:00
tty tty: hvc: replace BUG_ON() with negative return value 2021-12-01 09:19:10 +01:00
uio
usb usb: hub: Fix locking issues with address0_mutex 2021-12-01 09:18:59 +01:00
vdpa vdpa/mlx5: Avoid destroying MR on empty iotlb 2021-08-26 08:35:42 -04:00
vfio vfio: Use config not menuconfig for VFIO_NOIOMMU 2021-09-18 13:40:12 +02:00
vhost vhost/vsock: fix incorrect used length reported to the guest 2021-12-01 09:19:09 +01:00
video parisc/sticon: fix reverse colors 2021-11-26 10:39:20 +01:00
virt
virtio virtio_ring: check desc == NULL when using indirect with packed 2021-11-18 14:04:21 +01:00
visorbus
vlynq
vme
w1 w1: ds2438: fixing bug that would always get page0 2021-07-20 16:05:39 +02:00
watchdog ar7: fix kernel builds for compiler test 2021-11-18 14:04:24 +01:00
xen xen: detect uninitialized xenbus in xenbus_init 2021-12-01 09:19:01 +01:00
zorro
Kconfig
Makefile