lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20170824.140137.2014331371813442270.davem@davemloft.net>
Date:   Thu, 24 Aug 2017 14:01:37 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     arnd@...db.de
Cc:     harish.patil@...ium.com, manish.chopra@...ium.com,
        Dept-GELinuxNICDev@...ium.com, stable@...r.kernel.org,
        keescook@...omium.org, gustavo@...eddedor.com,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] [net-next] qlge: avoid memcpy buffer overflow

From: Arnd Bergmann <arnd@...db.de>
Date: Wed, 23 Aug 2017 15:59:49 +0200

> gcc-8.0.0 (snapshot) points out that we copy a variable-length string
> into a fixed length field using memcpy() with the destination length,
> and that ends up copying whatever follows the string:
> 
>     inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
> drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=]
>   memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
> 
> Changing it to use strncpy() will instead zero-pad the destination,
> which seems to be the right thing to do here.
> 
> The bug is probably harmless, but it seems like a good idea to address
> it in stable kernels as well, if only for the purpose of building with
> gcc-8 without warnings.
> 
> Cc: stable@...r.kernel.org

Please don't use explicit stable CC:'ing for networking changes.

> Fixes: a61f80261306 ("qlge: Add ethtool register dump function.")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>

Applied to 'net' and queued up for -stable, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ