* [PATCH] bna: ethtool: Avoid reading past end of buffer
@ 2018-11-09 12:52 Loic
2018-11-17 14:37 ` Sasha Levin
0 siblings, 1 reply; 4+ messages in thread
From: Loic @ 2018-11-09 12:52 UTC (permalink / raw)
To: stable; +Cc: danielmicay, keescook, davem
Hello,
Please picked up this patch for linux 4.4 and 4.9.
Compiled/tested without problem.
Thank.
[ Upstream commit 4dc69c1c1fff2f587f8e737e70b4a4e7565a5c94 ]
From: Kees Cook <keescook@chromium.org>
Date: Fri, 5 May 2017 15:30:23 -0700
Subject: [PATCH] bna: ethtool: Avoid reading past end of buffer
Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, use strncpy() which will fill the trailing bytes
with zeros.
This was found with the future CONFIG_FORTIFY_SOURCE feature.
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
index 286593922139e..31032de5843b1 100644
--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
+++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
@@ -547,8 +547,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string)
for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) {
BUG_ON(!(strlen(bnad_net_stats_strings[i]) <
ETH_GSTRING_LEN));
- memcpy(string, bnad_net_stats_strings[i],
- ETH_GSTRING_LEN);
+ strncpy(string, bnad_net_stats_strings[i],
+ ETH_GSTRING_LEN);
string += ETH_GSTRING_LEN;
}
bmap = bna_tx_rid_mask(&bnad->bna);
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] bna: ethtool: Avoid reading past end of buffer
2018-11-09 12:52 [PATCH] bna: ethtool: Avoid reading past end of buffer Loic
@ 2018-11-17 14:37 ` Sasha Levin
0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2018-11-17 14:37 UTC (permalink / raw)
To: Loic; +Cc: stable, danielmicay, keescook, davem
On Fri, Nov 09, 2018 at 01:52:57PM +0100, Loic wrote:
>Hello,
>
>Please picked up this patch for linux 4.4 and 4.9.
>Compiled/tested without problem.
>
>Thank.
>
>[ Upstream commit 4dc69c1c1fff2f587f8e737e70b4a4e7565a5c94 ]
>
>From: Kees Cook <keescook@chromium.org>
>Date: Fri, 5 May 2017 15:30:23 -0700
>Subject: [PATCH] bna: ethtool: Avoid reading past end of buffer
>
>Using memcpy() from a string that is shorter than the length copied means
>the destination buffer is being filled with arbitrary data from the kernel
>rodata segment. Instead, use strncpy() which will fill the trailing bytes
>with zeros.
>
>This was found with the future CONFIG_FORTIFY_SOURCE feature.
>
>Cc: Daniel Micay <danielmicay@gmail.com>
>Signed-off-by: Kees Cook <keescook@chromium.org>
>Signed-off-by: David S. Miller <davem@davemloft.net>
Queued for 4.9 and 4.4, thank you.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] bna: ethtool: Avoid reading past end of buffer
2017-05-05 22:30 Kees Cook
@ 2017-05-08 18:42 ` David Miller
0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2017-05-08 18:42 UTC (permalink / raw)
To: keescook
Cc: netdev, rasesh.mody, sudarsana.kalluru, linux-kernel,
Dept-GELinuxNICDev, danielmicay
From: Kees Cook <keescook@chromium.org>
Date: Fri, 5 May 2017 15:30:23 -0700
> Using memcpy() from a string that is shorter than the length copied means
> the destination buffer is being filled with arbitrary data from the kernel
> rodata segment. Instead, use strncpy() which will fill the trailing bytes
> with zeros.
>
> This was found with the future CONFIG_FORTIFY_SOURCE feature.
>
> Cc: Daniel Micay <danielmicay@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Applied.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] bna: ethtool: Avoid reading past end of buffer
@ 2017-05-05 22:30 Kees Cook
2017-05-08 18:42 ` David Miller
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2017-05-05 22:30 UTC (permalink / raw)
To: netdev
Cc: Rasesh Mody, Sudarsana Kalluru, linux-kernel, Dept-GELinuxNICDev,
Daniel Micay
Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, use strncpy() which will fill the trailing bytes
with zeros.
This was found with the future CONFIG_FORTIFY_SOURCE feature.
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
index 286593922139..31032de5843b 100644
--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
+++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
@@ -547,8 +547,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string)
for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) {
BUG_ON(!(strlen(bnad_net_stats_strings[i]) <
ETH_GSTRING_LEN));
- memcpy(string, bnad_net_stats_strings[i],
- ETH_GSTRING_LEN);
+ strncpy(string, bnad_net_stats_strings[i],
+ ETH_GSTRING_LEN);
string += ETH_GSTRING_LEN;
}
bmap = bna_tx_rid_mask(&bnad->bna);
--
2.7.4
--
Kees Cook
Pixel Security
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-11-18 0:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-09 12:52 [PATCH] bna: ethtool: Avoid reading past end of buffer Loic
2018-11-17 14:37 ` Sasha Levin
-- strict thread matches above, loose matches on Subject: below --
2017-05-05 22:30 Kees Cook
2017-05-08 18:42 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.