lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8cc527bc-41cd-48ae-a40a-05c69b2c4ac3@lunn.ch>
Date: Tue, 16 Sep 2025 19:12:22 +0200
From: Andrew Lunn <andrew@...n.ch>
To: Simon Horman <horms@...nel.org>
Cc: Konrad Leszczynski <konrad.leszczynski@...el.com>, davem@...emloft.net,
	andrew+netdev@...n.ch, edumazet@...gle.com, kuba@...nel.org,
	pabeni@...hat.com, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, cezary.rojewski@...el.com,
	sebastian.basierski@...el.com
Subject: Re: [PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts
 in ethtool

On Tue, Sep 16, 2025 at 05:45:30PM +0100, Simon Horman wrote:
> On Tue, Sep 16, 2025 at 02:09:31PM +0200, Konrad Leszczynski wrote:
> > Fix kernel exception by replacing memcpy with ethtool_puts when used with
> > safety feature strings in ethtool logic.
> > 
> > [  +0.000023] BUG: KASAN: global-out-of-bounds in stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000115] Read of size 32 at addr ffffffffc0cfab20 by task ethtool/2571
> > 
> > [  +0.000005] Call Trace:
> > [  +0.000004]  <TASK>
> > [  +0.000003]  dump_stack_lvl+0x6c/0x90
> > [  +0.000016]  print_report+0xce/0x610
> > [  +0.000011]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000108]  ? kasan_addr_to_slab+0xd/0xa0
> > [  +0.000008]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000101]  kasan_report+0xd4/0x110
> > [  +0.000010]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000102]  kasan_check_range+0x3a/0x1c0
> > [  +0.000010]  __asan_memcpy+0x24/0x70
> > [  +0.000008]  stmmac_get_strings+0x17d/0x520 [stmmac]
> > 
> > Reviewed-by: Sebastian Basierski <sebastian.basierski@...el.com>
> > Reviewed-by: Cezary Rojewski <cezary.rojewski@...el.com>
> > Signed-off-by: Konrad Leszczynski <konrad.leszczynski@...el.com>
> 
> As per my comment on v3 (sorry, I missed that you had already posted v4):
> 
> I think it would be good to explain why using memcpy() is a problem here.
> 
> I looked and it seems to me that one reason is that the strings may be
> too long.

I actually think the strings are too short. But i could be wrong.

In general, stmmac uses:

struct stmmac_stats {
        char stat_string[ETH_GSTRING_LEN] __nonstring;
        int sizeof_stat;
        int stat_offset;
};

so the string is guaranteed to be long enough. However, these 'safety'
features make use of

struct dwmac5_error_desc {
        bool valid;
        const char *desc;
        const char *detailed_desc;
};

where desc can be any length, ironically making
dwmac5_safety_feat_dump() unsafe. This is why i asked that this be
changed to be the same stmmac_stats, so [ETH_GSTRING_LEN]
__nonstring. But that seems to of fallen on deaf ears.

	Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ