netdev - ethtool 5.2 qsfp.c heap buffer overflow

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CADxRGxCkw=q0i9U1j52wwbW5OJJoU9P_RT4_Mh3AeMmDhEQVmA@mail.gmail.com>
Date:   Tue, 24 Sep 2019 17:41:31 +1000
From:   Qiwei Wen <wenqiweiabcd@...il.com>
To:     netdev@...r.kernel.org
Subject: ethtool 5.2 qsfp.c heap buffer overflow

Hi,

The function "sff8636_dom_parse", called from "sff8636_show_dom",
disregards the module eeprom size returned from the driver and assumes
the existence of upper pages, e.g.

sd->sfp_temp[HALRM] = SFF8636_OFFSET_TO_TEMP(SFF8636_TEMP_HALRM);

To reproduce: return ETH_MODULE_SFF_8636_LEN (256) for module eeprom
length in NIC driver, compile ethtool 5.2 with clang and address
sanitizer linked in, run ethtool -m.

Best regards,
Dave