In the Linux kernel, the following vulnerability has been resolved:
of: fdt: fix off-by-one error in unflatten_dt_nodes()
Commit 78c44d910d3e (“drivers/of: Fix depth when unflattening devicetree”)
forgot to fix up the depth check in the loop body in unflatten_dt_nodes()
which makes it possible to overflow the nps[] buffer…
Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/of/fdt.c"
],
"versions": [
{
"version": "78c44d910d3e",
"lessThan": "cbdda20ce363",
"status": "affected",
"versionType": "git"
},
{
"version": "78c44d910d3e",
"lessThan": "2566706ac639",
"status": "affected",
"versionType": "git"
},
{
"version": "78c44d910d3e",
"lessThan": "e0e88c25f88b",
"status": "affected",
"versionType": "git"
},
{
"version": "78c44d910d3e",
"lessThan": "ee4369260e77",
"status": "affected",
"versionType": "git"
},
{
"version": "78c44d910d3e",
"lessThan": "ba6b9f7cc110",
"status": "affected",
"versionType": "git"
},
{
"version": "78c44d910d3e",
"lessThan": "2133f4513116",
"status": "affected",
"versionType": "git"
},
{
"version": "78c44d910d3e",
"lessThan": "2f945a792f67",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/of/fdt.c"
],
"versions": [
{
"version": "4.7",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.7",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.14.295",
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.260",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.215",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.145",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.70",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.19.11",
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.0",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/2133f451311671c7c42b5640d2b999326b39aa0e
git.kernel.org/stable/c/2566706ac6393386a4e7c4ce23fe17f4c98d9aa0
git.kernel.org/stable/c/2f945a792f67815abca26fa8a5e863ccf3fa1181
git.kernel.org/stable/c/ba6b9f7cc1108bad6e2c53b1d6e0156379188db7
git.kernel.org/stable/c/cbdda20ce363356698835185801a58a28f644853
git.kernel.org/stable/c/e0e88c25f88b9805572263c9ed20f1d88742feaf
git.kernel.org/stable/c/ee4369260e77821602102dcc7d792de39a56365c