* pull-request: can 2019-08-02
@ 2019-08-02 12:00 Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 1/4] can: sja1000: force the string buffer NULL-terminated Marc Kleine-Budde
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Marc Kleine-Budde @ 2019-08-02 12:00 UTC (permalink / raw)
To: netdev; +Cc: davem, linux-can, kernel
Hello David,
this is a pull request of 4 patches for net/master.
The first two patches are by Wang Xiayang, they force that the string buffer
during a dev_info() is properly NULL terminated.
The last two patches are by Tomas Bortoli and fix both a potential info leak of
kernel memory to USB devices.
regards,
Marc
---
The following changes since commit 224c04973db1125fcebefffd86115f99f50f8277:
net: usb: pegasus: fix improper read if get_registers() fail (2019-08-01 18:18:27 -0400)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can.git tags/linux-can-fixes-for-5.3-20190802
for you to fetch changes up to ead16e53c2f0ed946d82d4037c630e2f60f4ab69:
can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices (2019-08-02 13:58:01 +0200)
----------------------------------------------------------------
linux-can-fixes-for-5.3-20190802
----------------------------------------------------------------
Tomas Bortoli (2):
can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
Wang Xiayang (2):
can: sja1000: force the string buffer NULL-terminated
can: peak_usb: force the string buffer NULL-terminated
drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +-
drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] can: sja1000: force the string buffer NULL-terminated
2019-08-02 12:00 pull-request: can 2019-08-02 Marc Kleine-Budde
@ 2019-08-02 12:00 ` Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 2/4] can: peak_usb: " Marc Kleine-Budde
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Marc Kleine-Budde @ 2019-08-02 12:00 UTC (permalink / raw)
To: netdev; +Cc: davem, linux-can, kernel, Wang Xiayang, Marc Kleine-Budde
From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
strncpy() does not ensure NULL-termination when the input string size
equals to the destination buffer size IFNAMSIZ. The output string
'name' is passed to dev_info which relies on NULL-termination.
Use strlcpy() instead.
This issue is identified by a Coccinelle script.
Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c
index 185c7f7d38a4..5e0d5e8101c8 100644
--- a/drivers/net/can/sja1000/peak_pcmcia.c
+++ b/drivers/net/can/sja1000/peak_pcmcia.c
@@ -479,7 +479,7 @@ static void pcan_free_channels(struct pcan_pccard *card)
if (!netdev)
continue;
- strncpy(name, netdev->name, IFNAMSIZ);
+ strlcpy(name, netdev->name, IFNAMSIZ);
unregister_sja1000dev(netdev);
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] can: peak_usb: force the string buffer NULL-terminated
2019-08-02 12:00 pull-request: can 2019-08-02 Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 1/4] can: sja1000: force the string buffer NULL-terminated Marc Kleine-Budde
@ 2019-08-02 12:00 ` Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 3/4] can: peak_usb: pcan_usb_fd: uix info-leaks to USB devices Marc Kleine-Budde
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Marc Kleine-Budde @ 2019-08-02 12:00 UTC (permalink / raw)
To: netdev; +Cc: davem, linux-can, kernel, Wang Xiayang, Marc Kleine-Budde
From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
strncpy() does not ensure NULL-termination when the input string size
equals to the destination buffer size IFNAMSIZ. The output string is
passed to dev_info() which relies on the NULL-termination.
Use strlcpy() instead.
This issue is identified by a Coccinelle script.
Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
index 22b9c8e6d040..65dce642b86b 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
@@ -855,7 +855,7 @@ static void peak_usb_disconnect(struct usb_interface *intf)
dev_prev_siblings = dev->prev_siblings;
dev->state &= ~PCAN_USB_STATE_CONNECTED;
- strncpy(name, netdev->name, IFNAMSIZ);
+ strlcpy(name, netdev->name, IFNAMSIZ);
unregister_netdev(netdev);
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] can: peak_usb: pcan_usb_fd: uix info-leaks to USB devices
2019-08-02 12:00 pull-request: can 2019-08-02 Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 1/4] can: sja1000: force the string buffer NULL-terminated Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 2/4] can: peak_usb: " Marc Kleine-Budde
@ 2019-08-02 12:00 ` Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 4/4] can: peak_usb: pcan_usb_pro: Fix " Marc Kleine-Budde
2019-08-05 21:45 ` pull-request: can 2019-08-02 David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Marc Kleine-Budde @ 2019-08-02 12:00 UTC (permalink / raw)
To: netdev
Cc: davem, linux-can, kernel, Tomas Bortoli,
syzbot+513e4d0985298538bf9b, linux-stable, Marc Kleine-Budde
From: Tomas Bortoli <tomasbortoli@gmail.com>
Uninitialized Kernel memory can leak to USB devices.
Fix by using kzalloc() instead of kmalloc() on the affected buffers.
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com
Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
index 34761c3a6286..47cc1ff5b88e 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
@@ -841,7 +841,7 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev)
goto err_out;
/* allocate command buffer once for all for the interface */
- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE,
+ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE,
GFP_KERNEL);
if (!pdev->cmd_buffer_addr)
goto err_out_1;
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
2019-08-02 12:00 pull-request: can 2019-08-02 Marc Kleine-Budde
` (2 preceding siblings ...)
2019-08-02 12:00 ` [PATCH 3/4] can: peak_usb: pcan_usb_fd: uix info-leaks to USB devices Marc Kleine-Budde
@ 2019-08-02 12:00 ` Marc Kleine-Budde
2019-08-05 21:45 ` pull-request: can 2019-08-02 David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Marc Kleine-Budde @ 2019-08-02 12:00 UTC (permalink / raw)
To: netdev
Cc: davem, linux-can, kernel, Tomas Bortoli,
syzbot+d6a5a1a3657b596ef132, linux-stable, Marc Kleine-Budde
From: Tomas Bortoli <tomasbortoli@gmail.com>
Uninitialized Kernel memory can leak to USB devices.
Fix by using kzalloc() instead of kmalloc() on the affected buffers.
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com
Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
index 178bb7cff0c1..53cb2f72bdd0 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
@@ -494,7 +494,7 @@ static int pcan_usb_pro_drv_loaded(struct peak_usb_device *dev, int loaded)
u8 *buffer;
int err;
- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
+ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: pull-request: can 2019-08-02
2019-08-02 12:00 pull-request: can 2019-08-02 Marc Kleine-Budde
` (3 preceding siblings ...)
2019-08-02 12:00 ` [PATCH 4/4] can: peak_usb: pcan_usb_pro: Fix " Marc Kleine-Budde
@ 2019-08-05 21:45 ` David Miller
4 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2019-08-05 21:45 UTC (permalink / raw)
To: mkl; +Cc: netdev, linux-can, kernel
From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Fri, 2 Aug 2019 14:00:34 +0200
> this is a pull request of 4 patches for net/master.
>
> The first two patches are by Wang Xiayang, they force that the string buffer
> during a dev_info() is properly NULL terminated.
>
> The last two patches are by Tomas Bortoli and fix both a potential info leak of
> kernel memory to USB devices.
Pulled, thanks Marc.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-08-05 21:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-02 12:00 pull-request: can 2019-08-02 Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 1/4] can: sja1000: force the string buffer NULL-terminated Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 2/4] can: peak_usb: " Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 3/4] can: peak_usb: pcan_usb_fd: uix info-leaks to USB devices Marc Kleine-Budde
2019-08-02 12:00 ` [PATCH 4/4] can: peak_usb: pcan_usb_pro: Fix " Marc Kleine-Budde
2019-08-05 21:45 ` pull-request: can 2019-08-02 David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.