Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1633066ybv; Fri, 21 Feb 2020 00:40:22 -0800 (PST) X-Google-Smtp-Source: APXvYqzLyADa8sa/f3pCwJ810dPHUhWSCb/gAQBHFoQQN8KHqBQqLJuUf1nmwpjnMh6pzvQoqRVe X-Received: by 2002:a05:6830:2110:: with SMTP id i16mr26594281otc.337.1582274422187; Fri, 21 Feb 2020 00:40:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582274422; cv=none; d=google.com; s=arc-20160816; b=xnICQcQ76XUnSjTktveFtkb3QxK4a+4fzTRnZYWw9lsyTx0nUbbZGba8IcPUjG8D2p YolxIf6JEzNX9wAY3IxPTU2P6Ie+0UYn1sbJvdsvkv/Gfpix17aq9TD7KLiJBl8WNQzD kU/5t3C/7QVIb1cUcD1VvowYbt+W6NjEb0L8brRCZj+BrfD3MMX/9OxIWKJEF+gpUZHv /lSfGK5YKTscx2zVbjQrScHGqHKo0PHG7jnNfSAXgjKqoV+lD4XvCx0RmALrEaiJ2dJR R2mfk49WvGi9SmMYZm6aLuoII3aIDf5ygQ+RHz6gmT86DHzgjeor8eC0D4nHC39cO753 rqlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Rm6jkAE8Mx8tvKrVAIpOqJbyUIfknN4E0QFR0Je72XY=; b=mXuPH/ryV6MmYW85qBzRm4vZugY4vFlmYAtSPxV+4YfKoSb7000hhmwOPJfrciou4a a6wVezDipEqqdtGQNcKfyAJ7ke6qf+TeLJZhCWYAG37ZnKVtnhDPbRrp8RXmOvPOY9h8 1wd9aTfXs2AHLNc5B1ySHffy4K37fwK540vGz6j2pjpg4vmsU/QtijEaaKMUKa4Gs9Le QvD0youOgcBUIdaKYvX6KDH1Si/wdraPQsoYvA8o0cMslQSaSLRDPP/mafJNOkf2gzc/ ouDieRMEMilIoy4L5EOZr3EfAJQq+LzNfD7zlL5qk44OUxFQvGNGtAi6H8MQ7G4tUaS5 h8Ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1L3pVzJK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b141si510162oii.79.2020.02.21.00.40.09; Fri, 21 Feb 2020 00:40:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1L3pVzJK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731319AbgBUIjd (ORCPT + 99 others); Fri, 21 Feb 2020 03:39:33 -0500 Received: from mail.kernel.org ([198.145.29.99]:33216 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731131AbgBUIA5 (ORCPT ); Fri, 21 Feb 2020 03:00:57 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7BB48206ED; Fri, 21 Feb 2020 08:00:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582272056; bh=hDDi7NfkHyAkUUnTbKQGRytKtjAXcZBx1AojSyMOTjA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1L3pVzJKZuNiOgwUb2P10Q5Yj6WRta6/fLxn9UGm/6F2ukdqruBaLN36qi9thicmF K/+MgLsp/za0MGsF/aELw51ilbrRI6Dq2FdDXy7kImgHMEtDFg6wNq2AfBchLQWYj9 KvdeiWmVKdkKD2eV+9UxXqyxzX2wz0l1FBxLluEM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" , Tetsuo Handa , Eric Biggers , Sasha Levin Subject: [PATCH 5.5 362/399] char: hpet: Fix out-of-bounds read bug Date: Fri, 21 Feb 2020 08:41:27 +0100 Message-Id: <20200221072435.896514172@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200221072402.315346745@linuxfoundation.org> References: <20200221072402.315346745@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Gustavo A. R. Silva [ Upstream commit 98c49f1746ac44ccc164e914b9a44183fad09f51 ] Currently, there is an out-of-bounds read on array hpetp->hp_dev in the following for loop: 870 for (i = 0; i < hdp->hd_nirqs; i++) 871 hpetp->hp_dev[i].hd_hdwirq = hdp->hd_irq[i]; This is due to the recent change from one-element array to flexible-array member in struct hpets: 104 struct hpets { ... 113 struct hpet_dev hp_dev[]; 114 }; This change affected the total size of the dynamic memory allocation, decreasing it by one time the size of struct hpet_dev. Fix this by adjusting the allocation size when calling struct_size(). Fixes: 987f028b8637c ("char: hpet: Use flexible-array member") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Tetsuo Handa Acked-by: Eric Biggers Link: https://lore.kernel.org/r/20200129022613.GA24281@embeddedor.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/char/hpet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c index 9ac6671bb5141..f69609b47fef8 100644 --- a/drivers/char/hpet.c +++ b/drivers/char/hpet.c @@ -855,7 +855,7 @@ int hpet_alloc(struct hpet_data *hdp) return 0; } - hpetp = kzalloc(struct_size(hpetp, hp_dev, hdp->hd_nirqs - 1), + hpetp = kzalloc(struct_size(hpetp, hp_dev, hdp->hd_nirqs), GFP_KERNEL); if (!hpetp) -- 2.20.1