CVE-2026-43205

Description

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

References

• https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c
• https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5
• https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900
• https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28
• https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d