On Tue, Feb 25, 2020 at 8:20 AM Dan Carpenter <[email protected]> wrote: > > The 'func' variable can come from the user in the __nd_ioctl(). If it's > too high then the (1 << func) shift in acpi_nfit_clear_to_send() is > undefined. In acpi_nfit_ctl() we pass 'func' to test_bit(func, &dsm_mask) > which could result in an out of bounds access. > > To fix these issues, I introduced the NVDIMM_CMD_MAX (31) define and > updated nfit_dsm_revid() to use that define as well instead of magic > numbers. > > Fixes: 11189c1089da ("acpi/nfit: Fix command-supported detection") > Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Dan Williams <[email protected]> I'll apply this to my fixes branch. _______________________________________________ Linux-nvdimm mailing list -- [email protected] To unsubscribe send an email to [email protected]
