| From foo@baz Sun Feb 10 12:47:17 CET 2019 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Fri, 1 Feb 2019 11:28:16 +0300 |
| Subject: skge: potential memory corruption in skge_get_regs() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| [ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ] |
| |
| The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value |
| of "regs->len" is in the 1-0x4000 range. The bug here is that |
| "regs->len - B3_RI_WTO_R1" can be a negative value which would lead to |
| memory corruption and an abrupt crash. |
| |
| Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/ethernet/marvell/skge.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/net/ethernet/marvell/skge.c |
| +++ b/drivers/net/ethernet/marvell/skge.c |
| @@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev |
| memset(p, 0, regs->len); |
| memcpy_fromio(p, io, B3_RAM_ADDR); |
| |
| - memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, |
| - regs->len - B3_RI_WTO_R1); |
| + if (regs->len > B3_RI_WTO_R1) { |
| + memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, |
| + regs->len - B3_RI_WTO_R1); |
| + } |
| } |
| |
| /* Wake on Lan only supported on Yukon chips with rev 1 or above */ |