tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

lib/mpi: Fix buffer overrun when SG is too long

The helper mpi_read_raw_from_sgl sets the number of entries in
the SG list according to nbytes. However, if the last entry
in the SG list contains more data than nbytes, then it may overrun
the buffer because it only allocates enough memory for nbytes.

Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Reported-by: Roberto Sassu <roberto.sassu@huaweicloud.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Herbert Xu 7361d1bc e20d5a22

+2 -1
+2 -1
lib/mpi/mpicoder.c
··· 504 504 505 505 while (sg_miter_next(&miter)) { 506 506 buff = miter.addr; 507 - len = miter.length; 507 + len = min_t(unsigned, miter.length, nbytes); 508 + nbytes -= len; 508 509 509 510 for (x = 0; x < len; x++) { 510 511 a <<= 8;