Kernel/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-14 09:09:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux/drivers
History
Stefano Brivio 0f3086868e cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() 
Passing commands for logging to t4_record_mbox() with size
MBOX_LEN, when the actual command size is actually smaller,
causes out-of-bounds stack accesses in t4_record_mbox() while
copying command words here:

	for (i = 0; i < size / 8; i++)
		entry->cmd[i] = be64_to_cpu(cmd[i]);

Up to 48 bytes from the stack are then leaked to debugfs.

This happens whenever we send (and log) commands described by
structs fw_sched_cmd (32 bytes leaked), fw_vi_rxmode_cmd (48),
fw_hello_cmd (48), fw_bye_cmd (48), fw_initialize_cmd (48),
fw_reset_cmd (48), fw_pfvf_cmd (32), fw_eq_eth_cmd (16),
fw_eq_ctrl_cmd (32), fw_eq_ofld_cmd (32), fw_acl_mac_cmd(16),
fw_rss_glb_config_cmd(32), fw_rss_vi_config_cmd(32),
fw_devlog_cmd(32), fw_vi_enable_cmd(48), fw_port_cmd(32),
fw_sched_cmd(32), fw_devlog_cmd(32).

The cxgb4vf driver got this right instead.

When we call t4_record_mbox() to log a command reply, a MBOX_LEN
size can be used though, as get_mbox_rpl() will fill cmd_rpl up
completely.

Fixes: 7f080c3f2ff0 ("cxgb4: Add support to enable logging of firmware mailbox commands")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-28 15:24:23 -07:00
..
accessibility
acpi
tty/serial fixes for 4.13-rc5
2017-08-13 12:33:35 -07:00
amba
android
binder: Use wake up hint for synchronous transactions.
2017-07-17 14:44:19 +02:00
ata
libata: fix a couple of doc build warnings
2017-07-31 08:03:06 -07:00
atm
atm: zatm: Fix an error handling path in 'zatm_init_one()'
2017-07-18 11:37:46 -07:00
auxdisplay
base
driver core fixes for 4.13-rc5
2017-08-13 12:44:18 -07:00
bcma
block
Merge branch 'stable/for-jens-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus
2017-08-16 09:56:34 -06:00
bluetooth
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-07-05 12:31:59 -07:00
bus
bus: uniphier-system-bus: set up registers when resuming
2017-08-04 12:57:18 +02:00
cdrom
block: don't set bounce limit in blk_init_queue
2017-06-27 12:13:45 -06:00
char
random: fix warning message on ia64 and parisc
2017-08-08 09:36:46 -07:00
clk
clk: keystone: sci-clk: Fix sci_clk_get
2017-08-02 18:37:26 -07:00
clocksource
clocksource/drivers/Kconfig: Fix CLKSRC_PISTACHIO dependencies
2017-08-11 12:53:29 +02:00
connector
cpufreq
cpufreq: intel_pstate: report correct CPU frequencies during trace
2017-08-11 01:25:53 +02:00
cpuidle
powerpc/powernv/idle: Disable LOSE_FULL_CONTEXT states when stop-api fails
2017-08-08 20:21:23 +10:00
crypto
crypto: ixp4xx - Fix error handling path in 'aead_perform()'
2017-08-09 20:01:33 +08:00
dax
- A few DM integrity fixes that improve performance. One that address
2017-07-28 12:17:17 -07:00
dca
devfreq
PM / devfreq: constify attribute_group structures.
2017-07-06 10:17:24 +09:00
dio
dma
dmaengine updates for 4.13-rc1
2017-07-08 12:36:50 -07:00
dma-buf
dma-buf/sync_file: Allow multiple sync_files to wrap a single dma-fence
2017-07-31 10:55:24 -03:00
edac
EDAC, pnd2: Fix Apollo Lake DIMM detection
2017-06-29 10:37:50 +02:00
eisa
extcon
firewire
firmware
efi: avoid fortify checks in EFI stub
2017-07-12 16:26:02 -07:00
fmc
fpga
fsi
drivers/fsi: fix fsi_slave_mode prototype
2017-07-17 16:13:54 +02:00
gpio
gpio: tegra: fix unbalanced chained_irq_enter/exit
2017-08-02 10:42:38 +02:00
gpu
Merge branch 'drm-fixes-4.13' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
2017-08-18 05:45:03 +10:00
hid
HID: ortek: add one more buggy device
2017-07-24 17:38:21 +02:00
hsi
HSI changes for the v4.13 series
2017-07-04 14:28:22 -07:00
hv
vmbus: re-enable channel tasklet
2017-07-17 15:00:47 +02:00
hwmon
hwmon: (applesmc) Avoid buffer overruns
2017-07-15 16:38:56 -07:00
hwspinlock
hwtracing
Char/Misc patches for 4.13-rc1
2017-07-03 20:55:59 -07:00
i2c
i2c: allow i2c-versatile for ARM MPS platforms
2017-07-31 17:05:16 +02:00
ide
ide: avoid warning for timings calculation
2017-07-21 04:37:22 +01:00
idle
intel_idle: Use more common logging style
2017-06-29 22:58:35 +02:00
iio
First set of IIO fixes for the 4.13 cycle.
2017-07-23 20:54:31 -07:00
infiniband
IB/uverbs: Fix NULL pointer dereference during device removal
2017-08-16 12:53:15 -04:00
input
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
2017-08-17 13:45:44 -07:00
iommu
iommu/arm-smmu: fix null-pointer dereference in arm_smmu_add_device
2017-08-11 16:56:51 +02:00
ipack
irqchip
irqchip fixes for 4.13
2017-08-14 09:34:10 +02:00
isdn
mISDN: Fix null pointer dereference at mISDN_FsmNew
2017-08-11 14:56:23 -07:00
leds
LED updates for 4.13
2017-07-06 11:32:40 -07:00
lguest
lightnvm
lightnvm: pblk: advance bio according to lba index
2017-07-28 08:06:00 -06:00
macintosh
Merge branch 'work.misc-set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-05 13:13:32 -07:00
mailbox
mailbox: pcc: Fix crash when request PCC channel 0
2017-07-26 02:11:47 +02:00
mcb
md
MD: not clear ->safemode for external metadata array
2017-08-11 20:42:06 -07:00
media
media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS
2017-07-26 06:14:33 -04:00
memory
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
memstick
message
mfd
chrome-platform-for-linus-4.13
2017-07-11 09:55:47 -07:00
misc
mei: exclude device from suspend direct complete optimization
2017-08-10 14:13:18 -07:00
mmc
mmc: block: fix lockdep splat when removing mmc_block module
2017-08-09 13:19:44 +02:00
mtd
mtd: blkdevs: Fix mtd block write failure
2017-08-12 14:53:24 -07:00
mux
mux: mux-core: unregister mux_class in mux_exit()
2017-07-17 16:38:35 +02:00
net
cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox()
2017-08-28 15:24:23 -07:00
nfc
NFC 4.13 pull request
2017-07-01 14:30:39 -07:00
ntb
ntb: Add error path/handling to Debug FS entry creation
2017-07-06 11:30:08 -04:00
nubus
nvdimm
libnvdimm: fix badblock range handling of ARS range
2017-07-17 11:43:58 -07:00
nvme
nvme-pci: set cqe_seen on polled completions
2017-08-18 09:19:39 +02:00
nvmem
nvmem: rockchip-efuse: amend compatible rk322x-efuse to rk3228-efuse
2017-07-17 16:15:57 +02:00
of
of: fix DMA mask generation
2017-08-17 10:23:45 +02:00
oprofile
parisc
parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
2017-08-16 09:50:39 +02:00
parport
pci
PCI: Allow PCI express root ports to find themselves
2017-08-18 16:14:37 -07:00
pcmcia
perf
drivers/perf: arm_pmu: Request PMU SPIs with IRQF_PER_CPU
2017-07-27 13:43:22 +01:00
phy
phy: bcm-ns-usb3: fix MDIO_BUS dependency
2017-07-27 17:20:19 -07:00
pinctrl
Pin control fixes for the v4.13 cycle:
2017-08-09 14:30:34 -07:00
platform
platform/x86: intel-vbtn: match power button on press rather than release
2017-08-05 14:37:19 -07:00
pnp
This is the bulk of GPIO changes for the v4.13 series:
2017-07-07 12:40:27 -07:00
power
power supply and reset changes for the v4.13 series (part 2)
2017-07-13 11:47:59 -07:00
powercap
powercap/RAPL: prevent overridding bits outside of the mask
2017-06-28 00:38:34 +02:00
pps
ps3
ptp
ptp: introduce ptp auxiliary worker
2017-08-01 15:22:55 -07:00
pwm
pwm: Changes for v4.13-rc1
2017-07-13 11:49:52 -07:00
rapidio
ras
arm64 updates for 4.13:
2017-07-05 17:09:27 -07:00
regulator
Merge remote-tracking branches 'regulator/topic/settle', 'regulator/topic/tps65910' and 'regulator/topic/tps65917' into regulator-next
2017-07-03 16:52:21 +01:00
remoteproc
remoteproc/keystone: Fix circular dependencies for ARM configs
2017-06-27 16:21:34 -07:00
reset
ARM: SoC driver updates
2017-07-04 14:47:47 -07:00
rpmsg
rpmsg updates for v4.13
2017-07-06 15:38:31 -07:00
rtc
rtc: ds1307: fix regmap config
2017-08-21 11:08:03 +02:00
s390
s390/qeth: fix L3 next-hop in xmit qeth hdr
2017-08-07 11:24:37 -07:00
sbus
sbus: Convert to using %pOF instead of full_name
2017-07-20 12:37:10 -07:00
scsi
SCSI fixes on 20170816
2017-08-16 17:21:20 -07:00
sfi
sh
drivers/sh/intc/virq.c: delete an error message for a failed memory allocation in add_virq_to_pirq()
2017-07-06 16:24:30 -07:00
sn
soc
soc: ti: ti_sci_pm_domains: Populate name for genpd
2017-08-18 11:59:53 +02:00
spi
Merge branch 'for-spi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-07-08 10:41:53 -07:00
spmi
spmi: pmic-arb: Always allocate ppid_to_apid table
2017-07-17 15:00:47 +02:00
ssb
staging
staging/iio fixes for 4.13-rc5
2017-08-13 12:30:17 -07:00
target
target: Fix node_acl demo-mode + uncached dynamic shutdown regression
2017-08-09 20:55:19 -07:00
tc
tee
thermal
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
2017-07-14 13:12:32 -07:00
thunderbolt
char/misc fixes for 4.13-rc5
2017-08-13 12:41:58 -07:00
tty
pty: fix the cached path of the pty slave file descriptor in the master
2017-08-17 09:10:48 -07:00
uio
usb
USB fixes for 4.13-rc5
2017-08-13 12:27:42 -07:00
uwb
driver core patches for 4.13-rc1
2017-07-03 20:27:48 -07:00
vfio
vfio/pci: Fix handling of RC integrated endpoint PCIe capability size
2017-07-27 10:39:33 -06:00
vhost
Revert "vhost: cache used event for better performance"
2017-07-29 14:15:56 -07:00
video
efifb: allow user to disable write combined mapping.
2017-07-31 18:45:41 +02:00
virt
virtio
virtio-balloon: coding format cleanup
2017-07-25 16:37:35 +03:00
vlynq
vme
w1
w1: omap-hdq: fix error return code in omap_hdq_probe()
2017-07-17 16:48:15 +02:00
watchdog
Merge git://www.linux-watchdog.org/linux-watchdog
2017-07-11 09:59:37 -07:00
xen
Merge branch 'stable/for-jens-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus
2017-08-16 09:56:34 -06:00
zorro
Kconfig
Makefile