Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:net: ch9200: fix uninitialised access during mii_nway_restartIn mii_nway_restart() the code attempts to callmii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()utilises a local buffer called "buff", which is initialisedwith control_read(). However "buff" is conditionallyinitialised inside control_read(): if (err == size) { memcpy(data, buf, size); }If the condition of "err == size" is not met, then"buff" remains uninitialised. Once this happens theuninitialised "buff" is accessed and returned duringch9200_mdio_read(): return (buff[0] | buff[1] << 8);The problem stems from the fact that ch9200_mdio_read()ignores the return value of control_read(), leading touinit-access of "buff".To fix this we should check the return value ofcontrol_read() and return early on error.
No PoCs from references.
- https://github.com/w4zu/Debian_security