1735633 – (CVE-2016-10764) CVE-2016-10764 kernel: off by one in function cqspi_setup_flash() in drivers/mtd/spi-nor/cadence-quadspi.c

Bug 1735633 (CVE-2016-10764) - CVE-2016-10764 kernel: off by one in function cqspi_setup_flash() in drivers/mtd/spi-nor/cadence-quadspi.c

Summary: CVE-2016-10764 kernel: off by one in function cqspi_setup_flash() in drivers/...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-10764
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1735634
Blocks:	1735635
TreeView+	depends on / blocked

Reported:	2019-08-01 07:48 UTC by Dhananjay Arunesh
Modified:	2021-02-16 21:34 UTC (History)
CC List:	44 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Linux Kernel, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. A local attacker who is able to trigger the device probe mechanism of a cadence quadspi Memory Technology Device may be able to corrupt memory or possibly escalate privileges.
Clone Of:
Environment:
Last Closed:	2019-11-20 18:51:34 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-08-01 07:48:29 UTC

A vulnerability was found in Linux Kernel, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. There are CQSPI_MAX_CHIPSELECT elements in the ->f_pdata array so the ">" should be ">=" instead.

Reference:
https://github.com/torvalds/linux/commit/193e87143c290ec16838f5368adc0e0bc94eb931
https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.6
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=193e87143c290ec16838f5368adc0e0bc94eb931

Comment 1 Dhananjay Arunesh 2019-08-01 07:49:02 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1735634]

Comment 2 Justin M. Forbes 2019-08-01 12:36:45 UTC

This was fixed for Fedora in 4.9.6 and never impacted any currently supported Fedora releases.

Comment 6 Product Security DevOps Team 2019-11-20 18:51:34 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-10764

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bhu
blc
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jglisse
jlelli
john.j5live
jonathan
josef
jross
jshortt
jstancek
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
plougher
rt-maint
rvrbovsk
steved
williams
yozone