[lvc-project] [PATCH 5.10] visorbus: fix pointer arithmetic bug in parser_name_get()

Tue Apr 15 18:39:40 MSK 2025

In parser_name_get(), the pointer arithmetic incorrectly uses &phdr
instead of phdr to calculate the new pointer offset. This leads to an
invalid pointer that can cause out-of-bounds memory access and potential
kernel crash or other undefined behavior.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 26a42c251ed8 ("staging: unisys: Change data to point to visor_controlvm_parameters_header.")
Cc: stable ÎÁ vger.kernel.org
Signed-off-by: Ivan Stepchenko <sid ÎÁ itb.spb.ru>
---
 drivers/visorbus/visorchipset.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/visorbus/visorchipset.c b/drivers/visorbus/visorchipset.c
index 5668cad86e37..6de504b6a7e0 100644
--- a/drivers/visorbus/visorchipset.c
+++ b/drivers/visorbus/visorchipset.c
@@ -584,7 +584,7 @@ static void *parser_name_get(struct parser_context *ctx)
 	if ((unsigned long)phdr->name_offset +
 	    (unsigned long)phdr->name_length > ctx->param_bytes)
 		return NULL;
-	ctx->curr = (char *)&phdr + phdr->name_offset;
+	ctx->curr = (char *)phdr + phdr->name_offset;
 	ctx->bytes_remaining = phdr->name_length;
 	return parser_string_get(ctx->curr, phdr->name_length);
 }
-- 
2.39.5


