CVE-2026-43205
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds.
Add a bound check for num_ifs in dpaa2_switch_init().
dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry.
The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken.
build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= …
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 539dda3c5d190c5088b5e57944b1b482fcb464de < a26dda3bae469c8e4e1b1993ad33dafa32d0fc28 | affected |
| Linux | Linux | 539dda3c5d190c5088b5e57944b1b482fcb464de < a3034a8d56174dd6464c46823438f25797910a8d | affected |
| Linux | Linux | 539dda3c5d190c5088b5e57944b1b482fcb464de < b690635d4719214892855b79ce018d4b1672ac96 | affected |
| Linux | Linux | 539dda3c5d190c5088b5e57944b1b482fcb464de < 8b841fd529db9faf8bc678d429d4bf4e98b10900 | affected |
| Linux | Linux | 539dda3c5d190c5088b5e57944b1b482fcb464de < 89764cf44544e943230f5e03b8c40a90da26537c | affected |
| Linux | Linux | 539dda3c5d190c5088b5e57944b1b482fcb464de < c18493f750208eb4ff1198fc5a02786b8b2d70a6 | affected |
| Linux | Linux | 539dda3c5d190c5088b5e57944b1b482fcb464de < 8a5752c6dcc085a3bfc78589925182e4e98468c5 | affected |
| Linux | Linux | 5.13 | affected |
| Linux | Linux | 0 < 5.13 | unaffected |
| Linux | Linux | 5.15.202 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.165 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.128 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.75 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.16 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.6 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28
- https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d
- https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96
- https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900
- https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c
- https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6
- https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.