lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Tue,  3 Dec 2019 11:03:45 -0500
From:   Laura Abbott <>
To:     Pablo Neira Ayuso <>,
        Jozsef Kadlecsik <>,
        Florian Westphal <>,
        "David S. Miller" <>
Cc:     Laura Abbott <>,,,,, Kees Cook <>
Subject: [PATCH] netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle

The sizes for memcpy in flow_offload_mangle don't match
the source variables, leading to overflow errors on some
build configurations:

In function 'memcpy',
    inlined from 'flow_offload_mangle' at net/netfilter/nf_flow_table_offload.c:112:2,
    inlined from 'flow_offload_port_dnat' at net/netfilter/nf_flow_table_offload.c:373:2,
    inlined from 'nf_flow_rule_route_ipv4' at net/netfilter/nf_flow_table_offload.c:424:3:
./include/linux/string.h:376:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
  376 |    __read_overflow2();
      |    ^~~~~~~~~~~~~~~~~~
make[2]: *** [scripts/ net/netfilter/nf_flow_table_offload.o] Error 1

Fix this by using the corresponding type.

Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Laura Abbott <>
Seen on a Fedora powerpc little endian build with -O3 but it looks like
it is correctly catching an error with doing a memcpy outside the source
 net/netfilter/nf_flow_table_offload.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index c54c9a6cc981..526f894d0bdb 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -108,8 +108,8 @@ static void flow_offload_mangle(struct flow_action_entry *entry,
 	entry->id = FLOW_ACTION_MANGLE;
 	entry->mangle.htype = htype;
 	entry->mangle.offset = offset;
-	memcpy(&entry->mangle.mask, mask, sizeof(u32));
-	memcpy(&entry->mangle.val, value, sizeof(u32));
+	memcpy(&entry->mangle.mask, mask, sizeof(u8));
+	memcpy(&entry->mangle.val, value, sizeof(u8));
 static inline struct flow_action_entry *

Powered by blists - more mailing lists