* [PATCH net 0/2] net/smc: fix out of bound access in netlink interface
@ 2021-01-12 16:21 Karsten Graul
2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Karsten Graul @ 2021-01-12 16:21 UTC (permalink / raw)
To: David Miller, Jakub Kicinski
Cc: Heiko Carstens, Stefan Raspl, netdev, linux-s390
Please apply the following patch for smc to netdev's net tree.
Both patches fix possible out-of-bounds reads. The original code expected
that snprintf() reads len-1 bytes from source and appends the terminating
null, but actually snprintf() first copies len bytes and finally overwrites
the last byte with a null.
Fix this by using memcpy() and terminating the string afterwards.
Guvenc Gulce (1):
net/smc: use memcpy instead of snprintf to avoid out of bounds read
Jakub Kicinski (1):
smc: fix out of bound access in smc_nl_get_sys_info()
net/smc/smc_core.c | 20 +++++++++++++-------
net/smc/smc_ib.c | 6 +++---
net/smc/smc_ism.c | 3 ++-
3 files changed, 18 insertions(+), 11 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info()
2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul
@ 2021-01-12 16:21 ` Karsten Graul
2021-01-12 16:21 ` [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read Karsten Graul
2021-01-13 4:30 ` [PATCH net 0/2] net/smc: fix out of bound access in netlink interface patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Karsten Graul @ 2021-01-12 16:21 UTC (permalink / raw)
To: David Miller, Jakub Kicinski
Cc: Heiko Carstens, Stefan Raspl, netdev, linux-s390
From: Jakub Kicinski <kuba@kernel.org>
smc_clc_get_hostname() sets the host pointer to a buffer
which is not NULL-terminated (see smc_clc_init()).
Reported-by: syzbot+f4708c391121cfc58396@syzkaller.appspotmail.com
Fixes: 099b990bd11a ("net/smc: Add support for obtaining system information")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
---
net/smc/smc_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 59342b519e34..8d866b4ed8f6 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -246,7 +246,8 @@ int smc_nl_get_sys_info(struct sk_buff *skb, struct netlink_callback *cb)
goto errattr;
smc_clc_get_hostname(&host);
if (host) {
- snprintf(hostname, sizeof(hostname), "%s", host);
+ memcpy(hostname, host, SMC_MAX_HOSTNAME_LEN);
+ hostname[SMC_MAX_HOSTNAME_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_SYS_LOCAL_HOST, hostname))
goto errattr;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read
2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul
2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul
@ 2021-01-12 16:21 ` Karsten Graul
2021-01-13 4:30 ` [PATCH net 0/2] net/smc: fix out of bound access in netlink interface patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Karsten Graul @ 2021-01-12 16:21 UTC (permalink / raw)
To: David Miller, Jakub Kicinski
Cc: Heiko Carstens, Stefan Raspl, netdev, linux-s390
From: Guvenc Gulce <guvenc@linux.ibm.com>
Using snprintf() to convert not null-terminated strings to null
terminated strings may cause out of bounds read in the source string.
Therefore use memcpy() and terminate the target string with a null
afterwards.
Fixes: a3db10efcc4c ("net/smc: Add support for obtaining SMCR device list")
Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
---
net/smc/smc_core.c | 17 +++++++++++------
net/smc/smc_ib.c | 6 +++---
net/smc/smc_ism.c | 3 ++-
3 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 8d866b4ed8f6..0df85a12651e 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -258,7 +258,8 @@ int smc_nl_get_sys_info(struct sk_buff *skb, struct netlink_callback *cb)
smc_ism_get_system_eid(smcd_dev, &seid);
mutex_unlock(&smcd_dev_list.mutex);
if (seid && smc_ism_is_v2_capable()) {
- snprintf(smc_seid, sizeof(smc_seid), "%s", seid);
+ memcpy(smc_seid, seid, SMC_MAX_EID_LEN);
+ smc_seid[SMC_MAX_EID_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_SYS_SEID, smc_seid))
goto errattr;
}
@@ -296,7 +297,8 @@ static int smc_nl_fill_lgr(struct smc_link_group *lgr,
goto errattr;
if (nla_put_u8(skb, SMC_NLA_LGR_R_VLAN_ID, lgr->vlan_id))
goto errattr;
- snprintf(smc_target, sizeof(smc_target), "%s", lgr->pnet_id);
+ memcpy(smc_target, lgr->pnet_id, SMC_MAX_PNETID_LEN);
+ smc_target[SMC_MAX_PNETID_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_LGR_R_PNETID, smc_target))
goto errattr;
@@ -313,7 +315,7 @@ static int smc_nl_fill_lgr_link(struct smc_link_group *lgr,
struct sk_buff *skb,
struct netlink_callback *cb)
{
- char smc_ibname[IB_DEVICE_NAME_MAX + 1];
+ char smc_ibname[IB_DEVICE_NAME_MAX];
u8 smc_gid_target[41];
struct nlattr *attrs;
u32 link_uid = 0;
@@ -462,7 +464,8 @@ static int smc_nl_fill_smcd_lgr(struct smc_link_group *lgr,
goto errattr;
if (nla_put_u32(skb, SMC_NLA_LGR_D_CHID, smc_ism_get_chid(lgr->smcd)))
goto errattr;
- snprintf(smc_pnet, sizeof(smc_pnet), "%s", lgr->smcd->pnetid);
+ memcpy(smc_pnet, lgr->smcd->pnetid, SMC_MAX_PNETID_LEN);
+ smc_pnet[SMC_MAX_PNETID_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_LGR_D_PNETID, smc_pnet))
goto errattr;
@@ -475,10 +478,12 @@ static int smc_nl_fill_smcd_lgr(struct smc_link_group *lgr,
goto errv2attr;
if (nla_put_u8(skb, SMC_NLA_LGR_V2_OS, lgr->peer_os))
goto errv2attr;
- snprintf(smc_host, sizeof(smc_host), "%s", lgr->peer_hostname);
+ memcpy(smc_host, lgr->peer_hostname, SMC_MAX_HOSTNAME_LEN);
+ smc_host[SMC_MAX_HOSTNAME_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_LGR_V2_PEER_HOST, smc_host))
goto errv2attr;
- snprintf(smc_eid, sizeof(smc_eid), "%s", lgr->negotiated_eid);
+ memcpy(smc_eid, lgr->negotiated_eid, SMC_MAX_EID_LEN);
+ smc_eid[SMC_MAX_EID_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_LGR_V2_NEG_EID, smc_eid))
goto errv2attr;
diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index ddd7fac98b1d..7d7ba0320d5a 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -371,8 +371,8 @@ static int smc_nl_handle_dev_port(struct sk_buff *skb,
if (nla_put_u8(skb, SMC_NLA_DEV_PORT_PNET_USR,
smcibdev->pnetid_by_user[port]))
goto errattr;
- snprintf(smc_pnet, sizeof(smc_pnet), "%s",
- (char *)&smcibdev->pnetid[port]);
+ memcpy(smc_pnet, &smcibdev->pnetid[port], SMC_MAX_PNETID_LEN);
+ smc_pnet[SMC_MAX_PNETID_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_DEV_PORT_PNETID, smc_pnet))
goto errattr;
if (nla_put_u32(skb, SMC_NLA_DEV_PORT_NETDEV,
@@ -414,7 +414,7 @@ static int smc_nl_handle_smcr_dev(struct smc_ib_device *smcibdev,
struct sk_buff *skb,
struct netlink_callback *cb)
{
- char smc_ibname[IB_DEVICE_NAME_MAX + 1];
+ char smc_ibname[IB_DEVICE_NAME_MAX];
struct smc_pci_dev smc_pci_dev;
struct pci_dev *pci_dev;
unsigned char is_crit;
diff --git a/net/smc/smc_ism.c b/net/smc/smc_ism.c
index 524ef64a191a..9c6e95882553 100644
--- a/net/smc/smc_ism.c
+++ b/net/smc/smc_ism.c
@@ -250,7 +250,8 @@ static int smc_nl_handle_smcd_dev(struct smcd_dev *smcd,
goto errattr;
if (nla_put_u8(skb, SMC_NLA_DEV_PORT_PNET_USR, smcd->pnetid_by_user))
goto errportattr;
- snprintf(smc_pnet, sizeof(smc_pnet), "%s", smcd->pnetid);
+ memcpy(smc_pnet, smcd->pnetid, SMC_MAX_PNETID_LEN);
+ smc_pnet[SMC_MAX_PNETID_LEN] = 0;
if (nla_put_string(skb, SMC_NLA_DEV_PORT_PNETID, smc_pnet))
goto errportattr;
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net 0/2] net/smc: fix out of bound access in netlink interface
2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul
2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul
2021-01-12 16:21 ` [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read Karsten Graul
@ 2021-01-13 4:30 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-01-13 4:30 UTC (permalink / raw)
To: Karsten Graul; +Cc: davem, kuba, hca, raspl, netdev, linux-s390
Hello:
This series was applied to netdev/net.git (refs/heads/master):
On Tue, 12 Jan 2021 17:21:20 +0100 you wrote:
> Please apply the following patch for smc to netdev's net tree.
>
> Both patches fix possible out-of-bounds reads. The original code expected
> that snprintf() reads len-1 bytes from source and appends the terminating
> null, but actually snprintf() first copies len bytes and finally overwrites
> the last byte with a null.
> Fix this by using memcpy() and terminating the string afterwards.
>
> [...]
Here is the summary with links:
- [net,1/2] smc: fix out of bound access in smc_nl_get_sys_info()
https://git.kernel.org/netdev/net/c/25fe2c9c4cd2
- [net,2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read
https://git.kernel.org/netdev/net/c/8a4465368964
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-13 4:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul
2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul
2021-01-12 16:21 ` [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read Karsten Graul
2021-01-13 4:30 ` [PATCH net 0/2] net/smc: fix out of bound access in netlink interface patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.