| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250827191315.GQ10519@horms.kernel.org>
Date: Wed, 27 Aug 2025 20:13:15 +0100
From: Simon Horman <horms@...nel.org>
To: Konrad Leszczynski <konrad.leszczynski@...el.com>
Cc: davem@...emloft.net, andrew+netdev@...n.ch, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, cezary.rojewski@...el.com,
sebastian.basierski@...el.com, Kees Cook <kees@...nel.org>
Subject: Re: [PATCH net-next 1/7] net: stmmac: replace memcpy with strscpy in
ethtool
+ Kees
On Tue, Aug 26, 2025 at 01:32:41PM +0200, Konrad Leszczynski wrote:
> Fix kernel exception by replacing memcpy with strscpy when used with
> safety feature strings in ethtool logic.
>
> [ +0.000023] BUG: KASAN: global-out-of-bounds in stmmac_get_strings+0x17d/0x520 [stmmac]
> [ +0.000115] Read of size 32 at addr ffffffffc0cfab20 by task ethtool/2571
>
> [ +0.000005] Call Trace:
> [ +0.000004] <TASK>
> [ +0.000003] dump_stack_lvl+0x6c/0x90
> [ +0.000016] print_report+0xce/0x610
> [ +0.000011] ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [ +0.000108] ? kasan_addr_to_slab+0xd/0xa0
> [ +0.000008] ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [ +0.000101] kasan_report+0xd4/0x110
> [ +0.000010] ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [ +0.000102] kasan_check_range+0x3a/0x1c0
> [ +0.000010] __asan_memcpy+0x24/0x70
> [ +0.000008] stmmac_get_strings+0x17d/0x520 [stmmac]
>
> Reviewed-by: Sebastian Basierski <sebastian.basierski@...el.com>
> Signed-off-by: Konrad Leszczynski <konrad.leszczynski@...el.com>
Hi Konrad,
As mentioned by Vadim elsewhere, as this is a fix it should
be part of a separate series targeted at net.
And it should have a Fixes tag.
Also, as a follow-up for net-next, it might be nice
to move stmmac_get_strings() to use an appropriate combination
of ethtool_puts() and ethtool_cpu().
See: commit 151e13ece86d ("net: ethtool: Adjust exactly ETH_GSTRING_LEN-long stats to use memcpy")
The code change itself looks good to me.
> ---
> drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> index f702f7b7bf9f..219a2df578ae 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> @@ -795,7 +795,7 @@ static void stmmac_get_strings(struct net_device *dev, u32 stringset, u8 *data)
> if (!stmmac_safety_feat_dump(priv,
> &priv->sstats, i,
> NULL, &desc)) {
> - memcpy(p, desc, ETH_GSTRING_LEN);
> + strscpy(p, desc, ETH_GSTRING_LEN);
> p += ETH_GSTRING_LEN;
> }
> }
> --
> 2.34.1
>
>
Powered by blists - more mailing lists