On Fri, Feb 14, 2020 at 10:48:08AM -0500, Sasha Levin wrote:
> From: "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx>
>
> [ Upstream commit 98c49f1746ac44ccc164e914b9a44183fad09f51 ]
>
> Currently, there is an out-of-bounds read on array hpetp->hp_dev
> in the following for loop:
>
> 870 for (i = 0; i < hdp->hd_nirqs; i++)
> 871 hpetp->hp_dev[i].hd_hdwirq = hdp->hd_irq[i];
>
> This is due to the recent change from one-element array to
> flexible-array member in struct hpets:
>
> 104 struct hpets {
> ...
> 113 struct hpet_dev hp_dev[];
> 114 };
>
> This change affected the total size of the dynamic memory
> allocation, decreasing it by one time the size of struct hpet_dev.
>
> Fix this by adjusting the allocation size when calling
> struct_size().
>
> Fixes: 987f028b8637c ("char: hpet: Use flexible-array member")
> Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx>
> Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> Acked-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Link: https://lore.kernel.org/r/20200129022613.GA24281@xxxxxxxxxxxxxx
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
> drivers/char/hpet.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
> index aed2c45f7968c..ed3b7dab678db 100644
> --- a/drivers/char/hpet.c
> +++ b/drivers/char/hpet.c
> @@ -855,7 +855,7 @@ int hpet_alloc(struct hpet_data *hdp)
> return 0;
> }
>
> - hpetp = kzalloc(struct_size(hpetp, hp_dev, hdp->hd_nirqs - 1),
> + hpetp = kzalloc(struct_size(hpetp, hp_dev, hdp->hd_nirqs),
> GFP_KERNEL);
>
> if (!hpetp)
> --
> 2.20.1
>
Not needed unless you have the other patch that I asked you to drop
added :)
