CVE-2024-50227

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()<br /> <br /> KASAN reported following issue:<br /> <br /> BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt]<br /> Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11<br /> CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387<br /> Tainted: [U]=USER<br /> Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x6c/0x90<br /> print_report+0xd1/0x630<br /> kasan_report+0xdb/0x110<br /> __asan_report_load4_noabort+0x14/0x20<br /> tb_retimer_scan+0xffe/0x1550 [thunderbolt]<br /> tb_scan_port+0xa6f/0x2060 [thunderbolt]<br /> tb_handle_hotplug+0x17b1/0x3080 [thunderbolt]<br /> process_one_work+0x626/0x1100<br /> worker_thread+0x6c8/0xfa0<br /> kthread+0x2c8/0x3a0<br /> ret_from_fork+0x3a/0x80<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> This happens because the loop variable still gets incremented by one so<br /> max becomes 3 instead of 2, and this makes the second loop read past the<br /> the array declared on the stack.<br /> <br /> Fix this by assigning to max directly in the loop body.