* [PATCH] hv_netvsc: Avoid field-overflowing memcpy()
@ 2021-06-21 22:21 Kees Cook
2021-06-22 17:30 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2021-06-21 22:21 UTC (permalink / raw)
To: K. Y. Srinivasan
Cc: Kees Cook, Haiyang Zhang, Stephen Hemminger, Wei Liu, Dexuan Cui,
David S. Miller, Jakub Kicinski, linux-kernel, linux-hyperv,
netdev, linux-hardening
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.
Add flexible array to represent start of buf_info, improving readability
and avoid future warning where memcpy() thinks it is writing past the
end of the structure.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/hyperv/hyperv_net.h | 1 +
drivers/net/hyperv/rndis_filter.c | 6 ++----
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
index b11aa68b44ec..bc48855dff10 100644
--- a/drivers/net/hyperv/hyperv_net.h
+++ b/drivers/net/hyperv/hyperv_net.h
@@ -1170,6 +1170,7 @@ struct rndis_set_request {
u32 info_buflen;
u32 info_buf_offset;
u32 dev_vc_handle;
+ u8 info_buf[];
};
/* Response to NdisSetRequest */
diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index 983bf362466a..f6c9c2a670f9 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1051,10 +1051,8 @@ static int rndis_filter_set_packet_filter(struct rndis_device *dev,
set = &request->request_msg.msg.set_req;
set->oid = RNDIS_OID_GEN_CURRENT_PACKET_FILTER;
set->info_buflen = sizeof(u32);
- set->info_buf_offset = sizeof(struct rndis_set_request);
-
- memcpy((void *)(unsigned long)set + sizeof(struct rndis_set_request),
- &new_filter, sizeof(u32));
+ set->info_buf_offset = offsetof(typeof(*set), info_buf);
+ memcpy(set->info_buf, &new_filter, sizeof(u32));
ret = rndis_filter_send_request(dev, request);
if (ret == 0) {
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] hv_netvsc: Avoid field-overflowing memcpy()
2021-06-21 22:21 [PATCH] hv_netvsc: Avoid field-overflowing memcpy() Kees Cook
@ 2021-06-22 17:30 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-06-22 17:30 UTC (permalink / raw)
To: Kees Cook
Cc: kys, haiyangz, sthemmin, wei.liu, decui, davem, kuba,
linux-kernel, linux-hyperv, netdev, linux-hardening
Hello:
This patch was applied to netdev/net-next.git (refs/heads/master):
On Mon, 21 Jun 2021 15:21:12 -0700 you wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields.
>
> Add flexible array to represent start of buf_info, improving readability
> and avoid future warning where memcpy() thinks it is writing past the
> end of the structure.
>
> [...]
Here is the summary with links:
- hv_netvsc: Avoid field-overflowing memcpy()
https://git.kernel.org/netdev/net-next/c/f2fcffe392c1
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-22 17:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-21 22:21 [PATCH] hv_netvsc: Avoid field-overflowing memcpy() Kees Cook
2021-06-22 17:30 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).