On Wed, Jul 13, 2022 at 09:40:37PM +0800, NAME wrote:
> From: sohu0106 <sohu0...@126.com>
For obvious reasons, we need a real name here, and in the signed-off-by
line.
> In do_adb_query function of drivers/macintosh/adb.c,
> req->data is copy form userland. The parameter
> "req->data[2]" is Missing check, the array size of
> adb_handler[] is 16, so "adb_handler[req->data[2]].
> original_address" and "adb_handler[req->data[2]].
> handler_id" will lead to oob read.
You can use all 72 columns, if you want to re-wrap these lines when you
resend.
>
> Signed-off-by: sohu0106 <sohu0...@126.com>
> ---
> drivers/macintosh/adb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c
> index 439fab4eaa85..1bbb9ca08d40 100644
> --- a/drivers/macintosh/adb.c
> +++ b/drivers/macintosh/adb.c
> @@ -647,7 +647,7 @@ do_adb_query(struct adb_request *req)
>
> switch(req->data[1]) {
> case ADB_QUERY_GETDEVINFO:
> - if (req->nbytes < 3)
> + if (req->nbytes < 3 || req->data[2] >= 16)
Shouldn't 16 be the array size instead of having this hard coded to a
magic number?
Something like "sizeof(adb_handler) / sizeof(struct adb_handler)"?
Maybe not, that's messy, your choice.
thanks,
greg k-h
