Skip to content

Commit 7d03b41

Browse files
jcfaraccojcfaracco
committed
Merge: CVE-2025-21993: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/721 JIRA: https://issues.redhat.com/browse/RHEL-86845 CVE: CVE-2025-21993 ``` commit 07e0d99 Author: Chengen Du <chengen.du@canonical.com> Date: Tue Jan 14 12:12:34 2025 +0800 iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. Signed-off-by: Chengen Du <chengen.du@canonical.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>``` Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-04-11 05:52 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small> Approved-by: Lenny Szubowicz <lszubowi@redhat.com> Approved-by: Steve Best <sbest@redhat.com> Approved-by: Mark Langsdorf <mlangsdo@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Julio Faracco <jfaracco@redhat.com>
2 parents 5eff486 + e3107e0 commit 7d03b41

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

drivers/firmware/iscsi_ibft.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -310,7 +310,10 @@ static ssize_t ibft_attr_show_nic(void *data, int type, char *buf)
310310
str += sprintf_ipaddr(str, nic->ip_addr);
311311
break;
312312
case ISCSI_BOOT_ETH_SUBNET_MASK:
313-
val = cpu_to_be32(~((1 << (32-nic->subnet_mask_prefix))-1));
313+
if (nic->subnet_mask_prefix > 32)
314+
val = cpu_to_be32(~0);
315+
else
316+
val = cpu_to_be32(~((1 << (32-nic->subnet_mask_prefix))-1));
314317
str += sprintf(str, "%pI4", &val);
315318
break;
316319
case ISCSI_BOOT_ETH_PREFIX_LEN:

0 commit comments

Comments
 (0)