* [PATCH] bna: ethtool: Avoid reading past end of buffer
@ 2017-05-05 22:30 Kees Cook
2017-05-08 18:42 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2017-05-05 22:30 UTC (permalink / raw)
To: netdev
Cc: Rasesh Mody, Sudarsana Kalluru, linux-kernel, Dept-GELinuxNICDev,
Daniel Micay
Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, use strncpy() which will fill the trailing bytes
with zeros.
This was found with the future CONFIG_FORTIFY_SOURCE feature.
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
index 286593922139..31032de5843b 100644
--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
+++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
@@ -547,8 +547,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string)
for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) {
BUG_ON(!(strlen(bnad_net_stats_strings[i]) <
ETH_GSTRING_LEN));
- memcpy(string, bnad_net_stats_strings[i],
- ETH_GSTRING_LEN);
+ strncpy(string, bnad_net_stats_strings[i],
+ ETH_GSTRING_LEN);
string += ETH_GSTRING_LEN;
}
bmap = bna_tx_rid_mask(&bnad->bna);
--
2.7.4
--
Kees Cook
Pixel Security
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] bna: ethtool: Avoid reading past end of buffer
2017-05-05 22:30 [PATCH] bna: ethtool: Avoid reading past end of buffer Kees Cook
@ 2017-05-08 18:42 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-05-08 18:42 UTC (permalink / raw)
To: keescook
Cc: netdev, rasesh.mody, sudarsana.kalluru, linux-kernel,
Dept-GELinuxNICDev, danielmicay
From: Kees Cook <keescook@chromium.org>
Date: Fri, 5 May 2017 15:30:23 -0700
> Using memcpy() from a string that is shorter than the length copied means
> the destination buffer is being filled with arbitrary data from the kernel
> rodata segment. Instead, use strncpy() which will fill the trailing bytes
> with zeros.
>
> This was found with the future CONFIG_FORTIFY_SOURCE feature.
>
> Cc: Daniel Micay <danielmicay@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Applied.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-08 18:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-05 22:30 [PATCH] bna: ethtool: Avoid reading past end of buffer Kees Cook
2017-05-08 18:42 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).