Re: [PATCH 2/2] misc: genwqe: card_dev: Array index overflow fix in ddcb_cmd_fixups()
From: Greg Kroah-Hartman
Date: Wed Dec 07 2022 - 11:24:24 EST
On Wed, Dec 07, 2022 at 05:18:08PM +0300, Aleksandr Burakov wrote:
> &cmd->asiv of size 96 can overflow because its index (asiv_offs + 8)
> can be equal to 96 (0x58 + 0x08) that is out of range.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Aleksandr Burakov <a.burakov@xxxxxxxxxxxx>
> Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
> ---
> drivers/misc/genwqe/card_dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c
> index 55fc5b80e649..d58ce2622307 100644
> --- a/drivers/misc/genwqe/card_dev.c
> +++ b/drivers/misc/genwqe/card_dev.c
> @@ -867,7 +867,7 @@ static int ddcb_cmd_fixups(struct genwqe_file *cfile, struct ddcb_requ *req)
> struct genwqe_ddcb_cmd *cmd = &req->cmd;
> struct dma_mapping *m;
>
> - for (i = 0, asiv_offs = 0x00; asiv_offs <= 0x58;
> + for (i = 0, asiv_offs = 0x00; asiv_offs < 0x58;
> i++, asiv_offs += 0x08) {
>
> u64 u_addr;
> --
> 2.25.1
>
Where is patch 1/2 of this series?