net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() [Linux 5.0]

This Linux kernel change "net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()" is included in the Linux 5.0 release. This change is authored by Dan Carpenter <dan.carpenter [at]> on Wed Feb 13 11:23:04 2019 +0300. The commit for this change in Linux stable tree is 8d6ea93 (patch).

net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()

The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
array is allocated in dsa_switch_alloc() and it has ds->num_ports
elements so this leads to a static checker warning about a potential out
of bounds read.

Fixes: 8cfa94984c9c ("net: dsa: bcm_sf2: add suspend/resume callbacks")
Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Vivien Didelot <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

There are 2 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/net/dsa/bcm_sf2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index 361fbde..17ec32b 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -690,7 +690,7 @@ static int bcm_sf2_sw_suspend(struct dsa_switch *ds)
     * port, the other ones have already been disabled during
     * bcm_sf2_sw_setup
-   for (port = 0; port < DSA_MAX_PORTS; port++) {
+   for (port = 0; port < ds->num_ports; port++) {
        if (dsa_is_user_port(ds, port) || dsa_is_cpu_port(ds, port))
            bcm_sf2_port_disable(ds, port, NULL);

Leave a Reply

Your email address will not be published. Required fields are marked *