tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

dpaa2-switch: add bounds check for if_id in IRQ handler

The IRQ handler extracts if_id from the upper 16 bits of the hardware
status register and uses it to index into ethsw->ports[] without
validation. Since if_id can be any 16-bit value (0-65535) but the ports
array is only allocated with sw_attr.num_ifs elements, this can lead to
an out-of-bounds read potentially.

Add a bounds check before accessing the array, consistent with the
existing validation in dpaa2_switch_rx().

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 24ab724f8a46 ("dpaa2-switch: use the port index in the IRQ handler")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881D420AB43FF1A227B84AFAF91A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Junrui Luo and committed by
Jakub Kicinski 31a7a0bb 82deb281

+4
+4
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
··· 1531 1531 } 1532 1532 1533 1533 if_id = (status & 0xFFFF0000) >> 16; 1534 + if (if_id >= ethsw->sw_attr.num_ifs) { 1535 + dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id); 1536 + goto out; 1537 + } 1534 1538 port_priv = ethsw->ports[if_id]; 1535 1539 1536 1540 if (status & DPSW_IRQ_EVENT_LINK_CHANGED)