[PATCH 4.19 248/639] net: aquantia: fixed instack structure overflow

From: Greg Kroah-Hartman
Date: Fri Jan 24 2020 - 06:13:35 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.19 257/639] drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 232/639] platform/x86: wmi: fix potential null pointer dereference"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 232/639] platform/x86: wmi: fix potential null pointer dereference"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 257/639] drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Igor Russkikh <Igor.Russkikh@xxxxxxxxxxxx>

[ Upstream commit 8006e3730b6e900319411e35cee85b4513d298df ]

This is a real stack undercorruption found by kasan build.

The issue did no harm normally because it only overflowed
2 bytes after `bitary` array which on most architectures
were mapped into `err` local.

Fixes: bab6de8fd180 ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions.")
Signed-off-by: Nikita Danilov <nikita.danilov@xxxxxxxxxxxx>
Signed-off-by: Igor Russkikh <igor.russkikh@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c | 4 ++--
drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
index 97addfa6f8956..dab5891b97145 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
@@ -207,8 +207,8 @@ static int hw_atl_a0_hw_rss_set(struct aq_hw_s *self,
u32 i = 0U;
u32 num_rss_queues = max(1U, self->aq_nic_cfg->num_rss_queues);
int err = 0;
- u16 bitary[(HW_ATL_A0_RSS_REDIRECTION_MAX *
- HW_ATL_A0_RSS_REDIRECTION_BITS / 16U)];
+ u16 bitary[1 + (HW_ATL_A0_RSS_REDIRECTION_MAX *
+ HW_ATL_A0_RSS_REDIRECTION_BITS / 16U)];

memset(bitary, 0, sizeof(bitary));

diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
index 51cd1f98bcf07..c4f914a29c385 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
@@ -192,8 +192,8 @@ static int hw_atl_b0_hw_rss_set(struct aq_hw_s *self,
u32 i = 0U;
u32 num_rss_queues = max(1U, self->aq_nic_cfg->num_rss_queues);
int err = 0;
- u16 bitary[(HW_ATL_B0_RSS_REDIRECTION_MAX *
- HW_ATL_B0_RSS_REDIRECTION_BITS / 16U)];
+ u16 bitary[1 + (HW_ATL_B0_RSS_REDIRECTION_MAX *
+ HW_ATL_B0_RSS_REDIRECTION_BITS / 16U)];

memset(bitary, 0, sizeof(bitary));

--
2.20.1

Next message: Greg Kroah-Hartman: "[PATCH 4.19 257/639] drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 232/639] platform/x86: wmi: fix potential null pointer dereference"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 232/639] platform/x86: wmi: fix potential null pointer dereference"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 257/639] drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]