mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-22 17:01:14 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Xiaolong Huang 9b6b2db77b isdn: cpai: check ctr->cnr to avoid array index out of bound 
commit 1f3e2e97c0 upstream.

The cmtp_add_connection() would add a cmtp session to a controller
and run a kernel thread to process cmtp.

	__module_get(THIS_MODULE);
	session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
								session->num);

During this process, the kernel thread would call detach_capi_ctr()
to detach a register controller. if the controller
was not attached yet, detach_capi_ctr() would
trigger an array-index-out-bounds bug.

[   46.866069][ T6479] UBSAN: array-index-out-of-bounds in
drivers/isdn/capi/kcapi.c:483:21
[   46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]'
[   46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted
5.15.0-rc2+ #8
[   46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.14.0-2 04/01/2014
[   46.870107][ T6479] Call Trace:
[   46.870473][ T6479]  dump_stack_lvl+0x57/0x7d
[   46.870974][ T6479]  ubsan_epilogue+0x5/0x40
[   46.871458][ T6479]  __ubsan_handle_out_of_bounds.cold+0x43/0x48
[   46.872135][ T6479]  detach_capi_ctr+0x64/0xc0
[   46.872639][ T6479]  cmtp_session+0x5c8/0x5d0
[   46.873131][ T6479]  ? __init_waitqueue_head+0x60/0x60
[   46.873712][ T6479]  ? cmtp_add_msgpart+0x120/0x120
[   46.874256][ T6479]  kthread+0x147/0x170
[   46.874709][ T6479]  ? set_kthread_struct+0x40/0x40
[   46.875248][ T6479]  ret_from_fork+0x1f/0x30
[   46.875773][ T6479]

Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20211008065830.305057-1-butterflyhuangxx@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-27 09:51:40 +02:00
..
accessibility
acpi acpi/arm64: fix next_platform_timer() section mismatch error 2021-10-20 10:42:05 +02:00
amba
android
ata pata_legacy: fix a couple uninitialized variable bugs 2021-10-20 10:42:05 +02:00
atm atm: nicstar: register the interrupt handler in the right place 2021-07-20 16:17:44 +02:00
auxdisplay
base PM: base: power: don't try to use non-existing RTC for storing data 2021-09-22 11:45:33 +02:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-22 11:45:22 +02:00
block cryptoloop: add a deprecation warning 2021-09-22 11:45:15 +02:00
bluetooth Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. 2021-07-20 16:17:45 +02:00
bus bus: qcom: Put child node before return 2021-05-22 10:57:28 +02:00
cdrom cdrom: gdrom: initialize global variable at init time 2021-05-26 11:47:00 +02:00
char virtio_console: Assure used length from device is limited 2021-07-20 16:17:53 +02:00
clk clk: kirkwood: Fix a clocking boot regression 2021-09-22 11:45:23 +02:00
clocksource clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel 2021-09-22 11:45:19 +02:00
connector
cpufreq cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory 2021-10-06 15:05:08 +02:00
cpuidle
crypto crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() 2021-10-06 15:05:10 +02:00
dax
dca
devfreq
dio
dma dmaengine: xilinx_dma: Set DMA mask for coherent APIs 2021-09-26 13:37:29 +02:00
dma-buf dma-buf/sync_file: Don't leak fences on merge failure 2021-07-28 11:12:16 +02:00
edac EDAC/synopsys: Fix wrong value type assignment for edac_mode 2021-10-06 15:05:09 +02:00
eisa
extcon extcon: max8997: Add missing modalias string 2021-07-20 16:17:41 +02:00
firewire
firmware efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() 2021-10-20 10:42:03 +02:00
fmc
fpga
fsi
gpio gpio: zynq: Check return value of pm_runtime_get_sync 2021-07-20 16:17:50 +02:00
gpu drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling 2021-10-20 10:42:05 +02:00
hid HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS 2021-10-17 10:08:34 +02:00
hsi HSI: core: fix resource leaks in hsi_add_client_from_dt() 2021-05-22 10:57:31 +02:00
hv hv_utils: Fix passing zero to 'PTR_ERR' warning 2021-07-20 16:17:33 +02:00
hwmon hwmon: (tmp421) fix rounding for negative values 2021-10-06 15:05:08 +02:00
hwspinlock
hwtracing intel_th: Wait until port is in reset before programming it 2021-07-20 16:17:51 +02:00
i2c i2c: acpi: fix resource leak in reconfiguration device addition 2021-10-17 10:08:33 +02:00
ide
idle
iio iio: ssp_sensors: fix error code in ssp_print_mcu_debug() 2021-10-20 10:42:04 +02:00
infiniband RDMA/iwcm: Release resources if iw_cm module initialization fails 2021-09-22 11:45:26 +02:00
input Input: xpad - add support for another USB ID of Nacon GC-100 2021-10-20 10:42:03 +02:00
iommu iommu/vt-d: Fix sysfs leak in alloc_iommu() 2021-06-03 08:36:12 +02:00
ipack ipack: ipoctal: fix module reference leak 2021-10-06 15:05:09 +02:00
irqchip irqchip/gic-v3-its: Fix potential VPE leak on error 2021-10-06 15:05:06 +02:00
isdn isdn: cpai: check ctr->cnr to avoid array index out of bound 2021-10-27 09:51:40 +02:00
leds leds: ktd2692: Fix an error handling path 2021-07-20 16:17:41 +02:00
lightnvm
macintosh
mailbox
mcb mcb: fix error handling in mcb_alloc_bus() 2021-10-06 15:05:05 +02:00
md md: fix a lock order reversal in md_alloc 2021-10-06 15:05:06 +02:00
media media: v4l2-dv-timings.c: fix wrong condition in two for-loops 2021-09-22 11:45:29 +02:00
memory memory: fsl_ifc: fix leak of private memory on probe failure 2021-07-20 16:17:55 +02:00
memstick
message
mfd mfd: Don't use irq_create_mapping() to resolve a mapping 2021-09-22 11:45:34 +02:00
misc cb710: avoid NULL pointer subtraction 2021-10-20 10:42:03 +02:00
mmc mmc: rtsx_pci: Fix long reads when clock is prescaled 2021-09-22 11:45:30 +02:00
mtd mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' 2021-09-22 11:45:35 +02:00
mux
net can: peak_pci: peak_pci_remove(): fix UAF 2021-10-27 09:51:40 +02:00
nfc nfc: nfcsim: fix use after free during module unload 2021-08-04 12:22:16 +02:00
ntb
nubus
nvdimm
nvme nvme-rdma: don't update queue count when failing to set io queues 2021-09-22 11:45:17 +02:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-20 10:42:04 +02:00
of of: Fix truncation of memory sizes on 32-bit platforms 2021-07-20 16:17:40 +02:00
oprofile
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-26 13:37:29 +02:00
parport parport: remove non-zero check on count 2021-09-22 11:45:31 +02:00
pci PCI: aardvark: Fix checking for PIO status 2021-10-06 15:05:07 +02:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-08-15 13:03:32 +02:00
perf perf/arm_pmu_platform: Fix error handling 2021-05-22 10:57:17 +02:00
phy phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() 2021-07-20 16:17:41 +02:00
pinctrl pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() 2021-09-22 11:45:26 +02:00
platform platform/chrome: cros_ec_proto: Send command again when timeout occurs 2021-09-22 11:45:32 +02:00
pnp
power power: supply: max17042: handle fails of reading status register 2021-09-22 11:45:24 +02:00
powercap
pps
ps3
ptp ptp_pch: Load module automatically if ID matches 2021-10-17 10:08:33 +02:00
pwm pwm: rockchip: Don't modify HW state in .remove() callback 2021-09-26 13:37:30 +02:00
rapidio rapidio: handle create_workqueue() failure 2021-05-26 11:46:59 +02:00
ras
regulator regulator: da9052: Ensure enough delay time for .set_voltage_time_sel 2021-07-20 16:17:32 +02:00
remoteproc
reset reset: ti-syscon: fix to_ti_syscon_reset_data macro 2021-07-28 11:12:14 +02:00
rpmsg rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() 2021-05-22 10:57:38 +02:00
rtc rtc: tps65910: Correct driver module alias 2021-09-22 11:45:23 +02:00
s390 s390/cio: add dev_busid sysfs entry for each subchannel 2021-09-22 11:45:18 +02:00
sbus
scsi scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported" 2021-10-17 10:08:34 +02:00
sfi
sh
sn
soc soc: qcom: smsm: Fix missed interrupts if state changes while masked 2021-09-22 11:45:20 +02:00
spi spi: Fix tegra20 build with CONFIG_PM=n 2021-10-06 15:05:07 +02:00
spmi
ssb ssb: sdio: Don't overwrite const buffer if block_write fails 2021-07-20 16:17:30 +02:00
staging staging: greybus: uart: fix tty use after free 2021-10-06 15:05:05 +02:00
target scsi: target: Fix protect handling in WRITE SAME(32) 2021-07-28 11:12:18 +02:00
tc
tee tee: optee: do not check memref size on return from Secure World 2021-05-22 10:57:16 +02:00
thermal thermal/core: Potential buffer overflow in thermal_build_list_of_policies() 2021-10-06 15:05:06 +02:00
thunderbolt thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue 2021-06-03 08:36:15 +02:00
tty tty: Fix out-of-bound vmalloc access in imageblit 2021-10-06 15:05:08 +02:00
uio
usb USB: serial: option: add prod. id for Quectel EG91 2021-10-20 10:42:04 +02:00
uwb
vfio vfio: Use config not menuconfig for VFIO_NOIOMMU 2021-09-22 11:45:26 +02:00
vhost vringh: Use wiov->used to check for read/write desc order 2021-09-03 09:56:25 +02:00
video video: fbdev: riva: Error out if 'pixclock' equals zero 2021-09-22 11:45:28 +02:00
virt
virtio virtio: write back F_VERSION_1 before validate 2021-10-20 10:42:04 +02:00
vlynq
vme
w1 w1: ds2438: fixing bug that would always get page0 2021-07-20 16:17:49 +02:00
watchdog Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" 2021-08-08 08:53:29 +02:00
xen xen/balloon: fix cancelled balloon action 2021-10-17 10:08:32 +02:00
zorro
Kconfig
Makefile