skge: potential memory corruption in skge_get_regs() [Linux 5.0]

This Linux kernel change "skge: potential memory corruption in skge_get_regs()" is included in the Linux 5.0 release. This change is authored by Dan Carpenter <dan.carpenter [at] oracle.com> on Fri Feb 1 11:28:16 2019 +0300. The commit for this change in Linux stable tree is 294c149 (patch).

skge: potential memory corruption in skge_get_regs()

The "p" buffer is 0x4000 bytes long.  B3_RI_WTO_R1 is 0x190.  The value
of "regs->len" is in the 1-0x4000 range.  The bug here is that
"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
memory corruption and an abrupt crash.

Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/net/ethernet/marvell/skge.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c
index 04fd1f1..654ac53 100644
--- a/drivers/net/ethernet/marvell/skge.c
+++ b/drivers/net/ethernet/marvell/skge.c
@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_device *dev, struct ethtool_regs *regs,
    memset(p, 0, regs->len);
    memcpy_fromio(p, io, B3_RAM_ADDR);

-   memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
-             regs->len - B3_RI_WTO_R1);
+   if (regs->len > B3_RI_WTO_R1) {
+       memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
+                 regs->len - B3_RI_WTO_R1);
+   }
 }

 /* Wake on Lan only supported on Yukon chips with rev 1 or above */

Leave a Reply

Your email address will not be published. Required fields are marked *