* [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer
@ 2018-02-02 15:18 Arnd Bergmann
2018-02-02 16:59 ` David Laight
2018-02-03 0:33 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Arnd Bergmann @ 2018-02-02 15:18 UTC (permalink / raw)
To: Ganesh Goudar
Cc: Nicolas Pitre, Andi Kleen, Arnd Bergmann, David S. Miller,
Herbert Xu, Rahul Lakkireddy, Kumar Sanghvi, Harsh Jain,
Atul Gupta, netdev, linux-kernel
Building with link-time-optimizations revealed that the cxgb4 driver does
a fixed-size memcpy() from a variable-length constant string into the
network interface name:
In function 'memcpy',
inlined from 'cfg_queues_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:335:2,
inlined from 'cxgb4_register_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:719:9:
include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
__read_overflow2();
^
I can see two equally workable solutions: either we use a strncpy() instead
of the memcpy() to stop at the end of the input, or we make the source buffer
fixed length as well. This implements the latter.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
index 1d37672902da..a14e8db51cdc 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
@@ -355,7 +355,7 @@ struct cxgb4_lld_info {
};
struct cxgb4_uld_info {
- const char *name;
+ char name[IFNAMSIZ];
void *handle;
unsigned int nrxq;
unsigned int rxq_size;
--
2.9.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer
2018-02-02 15:18 [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer Arnd Bergmann
@ 2018-02-02 16:59 ` David Laight
2018-02-03 0:33 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Laight @ 2018-02-02 16:59 UTC (permalink / raw)
To: 'Arnd Bergmann', Ganesh Goudar
Cc: Nicolas Pitre, Andi Kleen, David S. Miller, Herbert Xu,
Rahul Lakkireddy, Kumar Sanghvi, Harsh Jain, Atul Gupta, netdev,
linux-kernel
From: Arnd Bergmann
> Sent: 02 February 2018 15:19
>
> Building with link-time-optimizations revealed that the cxgb4 driver does
> a fixed-size memcpy() from a variable-length constant string into the
> network interface name:
...
> I can see two equally workable solutions: either we use a strncpy() instead
> of the memcpy() to stop at the end of the input, or we make the source buffer
> fixed length as well. This implements the latter.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
> b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
> index 1d37672902da..a14e8db51cdc 100644
> --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
> +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
> @@ -355,7 +355,7 @@ struct cxgb4_lld_info {
> };
>
> struct cxgb4_uld_info {
> - const char *name;
> + char name[IFNAMSIZ];
> void *handle;
> unsigned int nrxq;
> unsigned int rxq_size;
> --
> 2.9.0
Surely there is another part to this patch?
David
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer
2018-02-02 15:18 [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer Arnd Bergmann
2018-02-02 16:59 ` David Laight
@ 2018-02-03 0:33 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2018-02-03 0:33 UTC (permalink / raw)
To: arnd
Cc: ganeshgr, nico, ak, herbert, rahul.lakkireddy, kumaras, harsh,
atul.gupta, netdev, linux-kernel
From: Arnd Bergmann <arnd@arndb.de>
Date: Fri, 2 Feb 2018 16:18:37 +0100
> Building with link-time-optimizations revealed that the cxgb4 driver does
> a fixed-size memcpy() from a variable-length constant string into the
> network interface name:
>
> In function 'memcpy',
> inlined from 'cfg_queues_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:335:2,
> inlined from 'cxgb4_register_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:719:9:
> include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
> __read_overflow2();
> ^
>
> I can see two equally workable solutions: either we use a strncpy() instead
> of the memcpy() to stop at the end of the input, or we make the source buffer
> fixed length as well. This implements the latter.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Not the most pleasant thing in the world, but I can't think of a better
solution.
> @@ -355,7 +355,7 @@ struct cxgb4_lld_info {
> };
>
> struct cxgb4_uld_info {
> - const char *name;
> + char name[IFNAMSIZ];
> void *handle;
> unsigned int nrxq;
> unsigned int rxq_size;
David Laight asked how this can be the sole part of the patch.
All of these structures are initialized like:
static struct cxgb4_uld_info {
.name = "foo",
...
};
So changing from "const char *" to "char []" just works.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-02-03 0:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-02 15:18 [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer Arnd Bergmann
2018-02-02 16:59 ` David Laight
2018-02-03 0:33 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).