lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250916164530.GM224143@horms.kernel.org>
Date: Tue, 16 Sep 2025 17:45:30 +0100
From: Simon Horman <horms@...nel.org>
To: Konrad Leszczynski <konrad.leszczynski@...el.com>
Cc: davem@...emloft.net, andrew+netdev@...n.ch, edumazet@...gle.com,
	kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, cezary.rojewski@...el.com,
	sebastian.basierski@...el.com
Subject: Re: [PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts
 in ethtool

On Tue, Sep 16, 2025 at 02:09:31PM +0200, Konrad Leszczynski wrote:
> Fix kernel exception by replacing memcpy with ethtool_puts when used with
> safety feature strings in ethtool logic.
> 
> [  +0.000023] BUG: KASAN: global-out-of-bounds in stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000115] Read of size 32 at addr ffffffffc0cfab20 by task ethtool/2571
> 
> [  +0.000005] Call Trace:
> [  +0.000004]  <TASK>
> [  +0.000003]  dump_stack_lvl+0x6c/0x90
> [  +0.000016]  print_report+0xce/0x610
> [  +0.000011]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000108]  ? kasan_addr_to_slab+0xd/0xa0
> [  +0.000008]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000101]  kasan_report+0xd4/0x110
> [  +0.000010]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000102]  kasan_check_range+0x3a/0x1c0
> [  +0.000010]  __asan_memcpy+0x24/0x70
> [  +0.000008]  stmmac_get_strings+0x17d/0x520 [stmmac]
> 
> Reviewed-by: Sebastian Basierski <sebastian.basierski@...el.com>
> Reviewed-by: Cezary Rojewski <cezary.rojewski@...el.com>
> Signed-off-by: Konrad Leszczynski <konrad.leszczynski@...el.com>

As per my comment on v3 (sorry, I missed that you had already posted v4):

I think it would be good to explain why using memcpy() is a problem here.

I looked and it seems to me that one reason is that the strings may be
too long. But are there others?

> ---
>  drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> index 77758a7299b4..d5a2b7e9b2a9 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> @@ -752,7 +752,7 @@ static void stmmac_get_strings(struct net_device *dev, u32 stringset, u8 *data)
>  				if (!stmmac_safety_feat_dump(priv,
>  							&priv->sstats, i,
>  							NULL, &desc)) {
> -					memcpy(p, desc, ETH_GSTRING_LEN);
> +					ethtool_puts(&p, desc);
>  					p += ETH_GSTRING_LEN;

ethtool_puts() increments p, so I think the line above should be removed.

>  				}
>  			}
> -- 
> 2.34.1
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ