Commit 294c149a authored Feb 01, 2019 by Dan Carpenter Committed by David S. Miller Feb 01, 2019

skge: potential memory corruption in skge_get_regs()



The "p" buffer is 0x4000 bytes long.  B3_RI_WTO_R1 is 0x190.  The value
of "regs->len" is in the 1-0x4000 range.  The bug here is that
"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
memory corruption and an abrupt crash.

Fixes: c3f8be96 ("[PATCH] skge: expand ethtool debug register dump")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 5e66e35a

drivers/net/ethernet/marvell/skge.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -152,9 +152,11 @@ static void skge_get_regs(struct net_device dev, struct ethtool_regs regs,
		memset(p, 0, regs->len);
		memcpy_fromio(p, io, B3_RAM_ADDR);

		if (regs->len > B3_RI_WTO_R1) {
		memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
		regs->len - B3_RI_WTO_R1);
		}
		}

		/* Wake on Lan only supported on Yukon chips with rev 1 or above */
		static u32 wol_supported(const struct skge_hw *hw)