kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   a07f7ac44cacae01a70ddaee4b6440c9e8a59054
  2.   patches.suse
  3.   s390-sles15-16-03-01-s390-qeth_core_mpc-use-array_size-instead-of-reimple.patch
Blob Blame History Raw 
From: Julian Wiedmann <jwi@linux.ibm.com>
Subject: s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function
Patch-mainline: v4.19-rc7
Git-commit: 065a2cdcbdf8eb9aefb66e1a24b2d684b8b8852b
References: bnc#1113501, LTC#172682, FATE#326350, LTC#169511, bsc#1113509

Description:  qeth: Fix potential array overrun in cmd/rc lookup
Symptom:      Infinite loop when processing a received cmd.
Problem:      qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used
              to build human-readable messages for received cmd data.

              They store the to-be translated value in the last entry of a
              global array, and then iterate over each entry until they found
              the queried value (and the corresponding message string).
              If there is no prior match, the lookup is intended to stop at
              the final entry (which was previously prepared).

              If two qeth devices are concurrently processing a received cmd,
              one lookup can over-write the last entry of the global array
              while a second lookup is in process. This second lookup will then
              never hit its stop-condition, and loop.
Solution:     Remove the modification of the global array, and limit the number
              of iterations to the size of the array.
Reproduction: -

Upstream-Description:

              s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function

              Use the common code ARRAY_SIZE macro instead of a private implementation.

              Reviewed-by: Jean Delvare <jdelvare@suse.de>
              Signed-off-by: zhong jiang <zhongjiang@huawei.com>
              Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
              Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
              Signed-off-by: David S. Miller <davem@davemloft.net>


Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Acked-by: Petr Tesarik <ptesarik@suse.com>
---
 drivers/s390/net/qeth_core_mpc.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/drivers/s390/net/qeth_core_mpc.c
+++ b/drivers/s390/net/qeth_core_mpc.c
@@ -222,8 +222,7 @@ static struct ipa_rc_msg qeth_ipa_rc_msg[] = {
 char *qeth_get_ipa_msg(enum qeth_ipa_return_codes rc)
 {
 	int x = 0;
-	qeth_ipa_rc_msg[sizeof(qeth_ipa_rc_msg) /
-			sizeof(struct ipa_rc_msg) - 1].rc = rc;
+	qeth_ipa_rc_msg[ARRAY_SIZE(qeth_ipa_rc_msg) - 1].rc = rc;
 	while (qeth_ipa_rc_msg[x].rc != rc)
 		x++;
 	return qeth_ipa_rc_msg[x].msg;
@@ -270,9 +269,7 @@ static struct ipa_cmd_names qeth_ipa_cmd_names[] = {
 char *qeth_get_ipa_cmd_name(enum qeth_ipa_cmds cmd)
 {
 	int x = 0;
-	qeth_ipa_cmd_names[
-		sizeof(qeth_ipa_cmd_names) /
-			sizeof(struct ipa_cmd_names)-1].cmd = cmd;
+	qeth_ipa_cmd_names[ARRAY_SIZE(qeth_ipa_cmd_names) - 1].cmd = cmd;
 	while (qeth_ipa_cmd_names[x].cmd != cmd)
 		x++;
 	return qeth_ipa_cmd_names[x].name;
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.