| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Aug 2017 00:58:33 +0200
From: Arnd Bergmann <arnd@...db.de>
To: Karsten Keil <isdn@...ux-pingi.de>,
"David S. Miller" <davem@...emloft.net>
Cc: Arnd Bergmann <arnd@...db.de>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] isdn: hisax: fix buffer overflow check
gcc-8 warns about a corner case that can overflow a memcpy buffer when a
length variable is negative. While the code checks for an overly large
value, it does not check for a negative length that would get turned
into a large positive number:
In function 'memcpy',
inlined from 'skb_put_data' at include/linux/skbuff.h:2042:2,
inlined from 'l3dss1_cmd_global' at drivers/isdn/hisax/l3dss1.c:2219:4:
include/linux/string.h:348:9: error: '__builtin_memcpy' reading 266 or more bytes from a region of size 265 [-Werror=stringop-overflow=]
In function 'memcpy',
inlined from 'skb_put_data' at include/linux/skbuff.h:2042:2,
inlined from 'l3ni1_cmd_global' at drivers/isdn/hisax/l3ni1.c:2079:4:
include/linux/string.h:348:9: error: '__builtin_memcpy' reading between 266 and 4294967295 bytes from a region of size 265 [-Werror=stringop-overflow=]
It's not clear to me whether the warning should be here, or if this
is another case of an optimization step in gcc causing a warning about
something that would otherwise be silently ignored. Either way, making
the length 'unsigned int' instead ensures that no overflow can happen
here, and avoids the warning. The same code exists in two files, so I'm
patching both the same way.
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
drivers/isdn/hisax/l3dss1.c | 3 ++-
drivers/isdn/hisax/l3ni1.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/isdn/hisax/l3dss1.c b/drivers/isdn/hisax/l3dss1.c
index 18a3484b1f7e..85cef7a2e709 100644
--- a/drivers/isdn/hisax/l3dss1.c
+++ b/drivers/isdn/hisax/l3dss1.c
@@ -2168,7 +2168,8 @@ static int l3dss1_cmd_global(struct PStack *st, isdn_ctrl *ic)
{ u_char id;
u_char temp[265];
u_char *p = temp;
- int i, l, proc_len;
+ int i;
+ unsigned int l, proc_len;
struct sk_buff *skb;
struct l3_process *pc = NULL;
diff --git a/drivers/isdn/hisax/l3ni1.c b/drivers/isdn/hisax/l3ni1.c
index ea311e7df48e..99e0ba5d49a1 100644
--- a/drivers/isdn/hisax/l3ni1.c
+++ b/drivers/isdn/hisax/l3ni1.c
@@ -2024,7 +2024,8 @@ static int l3ni1_cmd_global(struct PStack *st, isdn_ctrl *ic)
{ u_char id;
u_char temp[265];
u_char *p = temp;
- int i, l, proc_len;
+ int i;
+ unsigned int l, proc_len;
struct sk_buff *skb;
struct l3_process *pc = NULL;
--
2.9.0
Powered by blists - more mailing lists