In the Linux kernel, the following vulnerability has been resolved:
net: lan743x: fix potential out-of-bounds write in lan743xptpioeventclock_get()
Before calling lan743xptpioeventclockget(), the 'channel' value is checked against the maximum value of PCI11X1XPTPIOMAXCHANNELS(8). This seems correct and aligns with the PTP interrupt status register (PTPINT_STS) specifications.
However, lan743xptpioeventclockget() writes to ptp->extts[] with only LAN743XPTPNEXTTS(4) elements, using channel as an index:
lan743x_ptp_io_event_clock_get(..., u8 channel,...)
{
...
/* Update Local timestamp */
extts = &ptp->extts[channel];
extts->ts.tv_sec = sec;
...
}
To avoid an out-of-bounds write and utilize all the supported GPIO inputs, set LAN743XPTPN_EXTTS to 8.
Detected using the static analysis tool - Svace.