1 files changed, 39 insertions, 0 deletions

diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch
new file mode 100644
index 000000000..93d21e5da
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch
@@ -0,0 +1,39 @@
+From 2133f451311671c7c42b5640d2b999326b39aa0e Mon Sep 17 00:00:00 2001
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+Date: Sat, 13 Aug 2022 23:34:16 +0300
+Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes()
+
+[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ]
+
+Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree")
+forgot to fix up the depth check in the loop body in unflatten_dt_nodes()
+which makes it possible to overflow the nps[] buffer...
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE static
+analysis tool.
+
+Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/fdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
+index 520ed965bb7a4e..583ca847a39cba 100644
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -314,7 +314,7 @@ static int unflatten_dt_nodes(const void *blob,
+ 	for (offset = 0;
+ 	     offset >= 0 && depth >= initial_depth;
+ 	     offset = fdt_next_node(blob, offset, &depth)) {
+-		if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
++		if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1))
+ 			continue;
+ 
+ 		if (!IS_ENABLED(CONFIG_OF_KOBJ) &&
+-- 
+cgit 1.2.3-korg
+