releases/4.14.99/skge-potential-memory-corruption-in-skge_get_regs.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Sun Feb 10 12:47:17 CET 2019
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Fri, 1 Feb 2019 11:28:16 +0300
 Subject: skge: potential memory corruption in skge_get_regs()

 From: Dan Carpenter <dan.carpenter@oracle.com>

 [ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ]

 The "p" buffer is 0x4000 bytes long.  B3_RI_WTO_R1 is 0x190.  The value
 of "regs->len" is in the 1-0x4000 range.  The bug here is that
 "regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
 memory corruption and an abrupt crash.

 Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/net/ethernet/marvell/skge.c |    6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

 --- a/drivers/net/ethernet/marvell/skge.c
 +++ b/drivers/net/ethernet/marvell/skge.c
 @@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev
  	memset(p, 0, regs->len);
  	memcpy_fromio(p, io, B3_RAM_ADDR);

 -	memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
 -		      regs->len - B3_RI_WTO_R1);
 +	if (regs->len > B3_RI_WTO_R1) {
 +		memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
 +			      regs->len - B3_RI_WTO_R1);
 +	}
  }

  /* Wake on Lan only supported on Yukon chips with rev 1 or above */
	From foo@baz Sun Feb 10 12:47:17 CET 2019
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Fri, 1 Feb 2019 11:28:16 +0300
	Subject: skge: potential memory corruption in skge_get_regs()

	From: Dan Carpenter <dan.carpenter@oracle.com>

	[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ]

	The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value
	of "regs->len" is in the 1-0x4000 range. The bug here is that
	"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
	memory corruption and an abrupt crash.

	Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/net/ethernet/marvell/skge.c \| 6 ++++--
	1 file changed, 4 insertions(+), 2 deletions(-)

	--- a/drivers/net/ethernet/marvell/skge.c
	+++ b/drivers/net/ethernet/marvell/skge.c
	@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev
	memset(p, 0, regs->len);
	memcpy_fromio(p, io, B3_RAM_ADDR);

	- memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
	- regs->len - B3_RI_WTO_R1);
	+ if (regs->len > B3_RI_WTO_R1) {
	+ memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
	+ regs->len - B3_RI_WTO_R1);
	+ }
	}

	/* Wake on Lan only supported on Yukon chips with rev 1 or above */