From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 14/16] net: qed: Fix memcpy() overflow of qed_dcbx_params()
Date: Mon, 21 Jun 2021 13:54:48 -0400 [thread overview]
Message-ID: <20210621175450.736067-14-sashal@kernel.org> (raw)
In-Reply-To: <20210621175450.736067-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 1c200f832e14420fa770193f9871f4ce2df00d07 ]
The source (&dcbx_info->operational.params) and dest
(&p_hwfn->p_dcbx_info->set.config.params) are both struct qed_dcbx_params
(560 bytes), not struct qed_dcbx_admin_params (564 bytes), which is used
as the memcpy() size.
However it seems that struct qed_dcbx_operational_params
(dcbx_info->operational)'s layout matches struct qed_dcbx_admin_params
(p_hwfn->p_dcbx_info->set.config)'s 4 byte difference (3 padding, 1 byte
for "valid").
On the assumption that the size is wrong (rather than the source structure
type), adjust the memcpy() size argument to be 4 bytes smaller and add
a BUILD_BUG_ON() to validate any changes to the structure sizes.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
index 5900a506bf8d..ff8a7750d3c0 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
@@ -1294,9 +1294,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn,
p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC;
p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled;
+ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) !=
+ sizeof(p_hwfn->p_dcbx_info->set.config.params));
memcpy(&p_hwfn->p_dcbx_info->set.config.params,
&dcbx_info->operational.params,
- sizeof(struct qed_dcbx_admin_params));
+ sizeof(p_hwfn->p_dcbx_info->set.config.params));
p_hwfn->p_dcbx_info->set.config.valid = true;
memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set));
--
2.30.2
next prev parent reply other threads:[~2021-06-21 18:08 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-21 17:54 [PATCH AUTOSEL 4.19 01/16] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 02/16] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 03/16] mac80211: drop multicast fragments Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 04/16] net: ethtool: clear heap allocations for ethtool function Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 05/16] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 06/16] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 07/16] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 08/16] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 09/16] net/packet: annotate accesses to po->ifindex Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 10/16] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 11/16] sh_eth: " Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 12/16] r8169: " Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 13/16] KVM: selftests: Fix kvm_check_cap() assertion Sasha Levin
2021-06-21 17:54 ` Sasha Levin [this message]
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 15/16] PCI: Add AMD RS690 quirk to enable 64-bit DMA Sasha Levin
2021-06-21 17:54 ` [PATCH AUTOSEL 4.19 16/16] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-21 17:54 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210621175450.736067-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.