lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 02 Feb 2018 19:33:24 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     arnd@...db.de
Cc:     ganeshgr@...lsio.com, nico@...aro.org, ak@...ux.intel.com,
        herbert@...dor.apana.org.au, rahul.lakkireddy@...lsio.com,
        kumaras@...lsio.com, harsh@...lsio.com, atul.gupta@...lsio.com,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer

From: Arnd Bergmann <arnd@...db.de>
Date: Fri,  2 Feb 2018 16:18:37 +0100

> Building with link-time-optimizations revealed that the cxgb4 driver does
> a fixed-size memcpy() from a variable-length constant string into the
> network interface name:
> 
> In function 'memcpy',
>     inlined from 'cfg_queues_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:335:2,
>     inlined from 'cxgb4_register_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:719:9:
> include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
>    __read_overflow2();
>    ^
> 
> I can see two equally workable solutions: either we use a strncpy() instead
> of the memcpy() to stop at the end of the input, or we make the source buffer
> fixed length as well. This implements the latter.
> 
> Signed-off-by: Arnd Bergmann <arnd@...db.de>

Not the most pleasant thing in the world, but I can't think of a better
solution.

> @@ -355,7 +355,7 @@ struct cxgb4_lld_info {
>  };
>  
>  struct cxgb4_uld_info {
> -	const char *name;
> +	char name[IFNAMSIZ];
>  	void *handle;
>  	unsigned int nrxq;
>  	unsigned int rxq_size;

David Laight asked how this can be the sole part of the patch.

All of these structures are initialized like:

static struct cxgb4_uld_info {
	.name	= "foo",
	...
};

So changing from "const char *" to "char []" just works.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ