Commit f916fd37 authored by Dan Carpenter's avatar Dan Carpenter Committed by Stefan Bader

skge: potential memory corruption in skge_get_regs()

BugLink: https://bugs.launchpad.net/bugs/1818813

[ Upstream commit 294c149a ]

The "p" buffer is 0x4000 bytes long.  B3_RI_WTO_R1 is 0x190.  The value
of "regs->len" is in the 1-0x4000 range.  The bug here is that
"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
memory corruption and an abrupt crash.

Fixes: c3f8be96 ("[PATCH] skge: expand ethtool debug register dump")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent 5b08dd54
......@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_device *dev, struct ethtool_regs *regs,
memset(p, 0, regs->len);
memcpy_fromio(p, io, B3_RAM_ADDR);
if (regs->len > B3_RI_WTO_R1) {
memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
regs->len - B3_RI_WTO_R1);
}
}
/* Wake on Lan only supported on Yukon chips with rev 1 or above */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment