In the Linux kernel, the following vulnerability has been resolved: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() The if statement: if (port >= DSAF_GE_NUM) return; limits the value of port less than DSAF_GE_NUM (i.e., 8). However, if the value of port is 6 or 7, an array overflow could occur: port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6). To fix this possible array overflow, we first check port and if it is greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
The hns_dsaf_ge_srst_by_port() function checks whether the passed port parameter value is less than DSAF_GE_NUM (8), however the dsaf_dev->mac_cb array has a length of DSAF_MAX_PORT_NUM (6). When the port value is 6 or 7, the precondition does not block access, and the code accesses an array element outside its boundaries. The fix consists of adding an earlier check that terminates function execution if port is greater than or equal to DSAF_MAX_PORT_NUM (6).
An attacker can cause a write outside array boundaries in kernel space, potentially leading to arbitrary code execution (RCE), privilege escalation, or system destabilization.
Apply patches available from the manufacturer according to the references. Fixes have been published in the Linux kernel stable repository under the following commits: 22519eff7df2, 948968f8747650, 99bb25cb6753be, a66998e0fbf213, abbd5faa0748d0.
Linux Kernel — versions indicated in the manufacturer's references (HiSilicon HNS ethernet driver, hns_dsaf_misc component)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux5.164.10 – 4.14.257 (bez)4.15 – 4.19.220 (bez)< 4.9.2925.5 – 5.10.84 (bez)5.11 – 5.15.7 (bez)4.20 – 5.4.164 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...