dpaa2-switch: validate num_ifs to prevent out-of-bounds write

Summary

CVE	CVE-2026-43205
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-06 12:16:39 UTC
Updated	2026-05-06 13:07:51 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] \|= ...

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 539dda3c5d190c5088b5e57944b1b482fcb464de a26dda3bae469c8e4e1b1993ad33dafa32d0fc28 git	Not specified
CNA	Linux	Linux	affected 539dda3c5d190c5088b5e57944b1b482fcb464de a3034a8d56174dd6464c46823438f25797910a8d git	Not specified
CNA	Linux	Linux	affected 539dda3c5d190c5088b5e57944b1b482fcb464de b690635d4719214892855b79ce018d4b1672ac96 git	Not specified
CNA	Linux	Linux	affected 539dda3c5d190c5088b5e57944b1b482fcb464de 8b841fd529db9faf8bc678d429d4bf4e98b10900 git	Not specified
CNA	Linux	Linux	affected 539dda3c5d190c5088b5e57944b1b482fcb464de 89764cf44544e943230f5e03b8c40a90da26537c git	Not specified
CNA	Linux	Linux	affected 539dda3c5d190c5088b5e57944b1b482fcb464de c18493f750208eb4ff1198fc5a02786b8b2d70a6 git	Not specified
CNA	Linux	Linux	affected 539dda3c5d190c5088b5e57944b1b482fcb464de 8a5752c6dcc085a3bfc78589925182e4e98468c5 git	Not specified
CNA	Linux	Linux	affected 5.13	Not specified
CNA	Linux	Linux	unaffected 5.13 semver	Not specified
CNA	Linux	Linux	unaffected 5.15.202 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.165 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.128 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.75 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.16 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.6 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.