RE: [char-misc-next 2/8] mei: hbm: validate client index is notexceeding allocated array size

From: Winkler, Tomas
Date: Thu Nov 07 2013 - 07:22:10 EST

Next message: Fengguang Wu: "[init_mac80211_hwsim] BUG: unable to handle kernel paging request atcd1aa02c"
Previous message: Mugunthan V N: "Re: [patch] net: make ndev->irq signed for error handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >
> > This somehow should guard buffer overflow allocated of size dev-
> >me_clients_num
> > In theory this can happen only if something go wrong in hardware
> > initialization or there is some other security hole that can change
> > client_num.
>
> What _kind_ of "security hole" could ever change that number? Where
> does it come from? Who can modify it? If you don't know that now then
> we have worse problems...

The allocation of me_clients arrays of mei_clients_num is happening on ME enumeration message,
While the filling out the array is looping over get properties message which is bounded by MEI_CLIENTS_MAX,
so the overflow is indeed possible, of course only on some faulty HW. We had such errors only on new
HW bring ups.

Thanks
Tomas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Fengguang Wu: "[init_mac80211_hwsim] BUG: unable to handle kernel paging request atcd1aa02c"
Previous message: Mugunthan V N: "Re: [patch] net: make ndev->irq signed for error handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]