Dan Carpenter fa6950e4da ipmi: ssif_bmc: prevent integer overflow on 32bit systems ... [ Upstream commit 0627cef361 ] There are actually two bugs here. First, we need to ensure that count is at least sizeof(u32) or msg.len will be uninitialized data. The "msg.len" variable is a u32 that comes from the user. On 32bit systems the "sizeof_field(struct ipmi_ssif_msg, len) + msg.len" addition can overflow if "msg.len" is greater than U32_MAX - 4. Valid lengths for "msg.len" are 1-254. Add a check for that to prevent the integer overflow. Fixes: dd2bc5cc9e ("ipmi: ssif_bmc: Add SSIF BMC driver") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Message-Id: <1431ca2e-4e9c-4520-bfc0-6879313c30e9@moroto.mountain> Signed-off-by: Corey Minyard <corey@minyard.net> Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-08-03 08:53:48 +02:00
..
bt-bmc.c
ipmb_dev_int.c
ipmi_bt_sm.c
ipmi_devintf.c
ipmi_dmi.c
ipmi_dmi.h
ipmi_ipmb.c
ipmi_kcs_sm.c
ipmi_msghandler.c
ipmi_plat_data.c
ipmi_plat_data.h
ipmi_powernv.c
ipmi_poweroff.c
ipmi_si_hardcode.c
ipmi_si_hotmod.c
ipmi_si_intf.c
ipmi_si_mem_io.c
ipmi_si_parisc.c
ipmi_si_pci.c
ipmi_si_platform.c
ipmi_si_port_io.c
ipmi_si_sm.h
ipmi_si.h
ipmi_smic_sm.c
ipmi_ssif.c
ipmi_watchdog.c
Kconfig
kcs_bmc_aspeed.c
kcs_bmc_cdev_ipmi.c
kcs_bmc_client.h
kcs_bmc_device.h
kcs_bmc_npcm7xx.c
kcs_bmc_serio.c
kcs_bmc.c
kcs_bmc.h
Makefile
ssif_bmc.c	ipmi: ssif_bmc: prevent integer overflow on 32bit systems	2024-08-03 08:53:48 +02:00