From patchwork Wed May 10 19:24:51 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9720595 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 24CC260364 for ; Wed, 10 May 2017 19:25:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 384AF28637 for ; Wed, 10 May 2017 19:25:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2CAE528639; Wed, 10 May 2017 19:25:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,RCVD_IN_SORBS_SPAM autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B61BB28637 for ; Wed, 10 May 2017 19:25:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754080AbdEJTY4 (ORCPT ); Wed, 10 May 2017 15:24:56 -0400 Received: from mail-pg0-f44.google.com ([74.125.83.44]:33127 "EHLO mail-pg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753924AbdEJTYy (ORCPT ); Wed, 10 May 2017 15:24:54 -0400 Received: by mail-pg0-f44.google.com with SMTP id u187so2554936pgb.0 for ; Wed, 10 May 2017 12:24:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=RO/S7cpwFl/adVl4GmLCzh6nrb0XQCe9R0caR/W5u18=; b=MKJFTohzkQ4jDJJY9mcHucyXQOoebn+Gw1jH0q/D7bRpFJET6oKaY4bplNsvvOLrgW 8b/gm7IFl4Q1HTD41aEg8iV9lwEoZ9YRckRvxGppoPdp1wraf2y5VcKwlcvwac16aVAW CSfiMeCHyVcfc9W/E0LejWETP3wm/O2jP/+oc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=RO/S7cpwFl/adVl4GmLCzh6nrb0XQCe9R0caR/W5u18=; b=GTZ1PN2uvoAzKT+SzkFaxqYWjklSvC7VY+19mIJZeYbYazLQF9Vj+4m4J6v26MpCOF 0CUs4jL53u8LDY4q2cgTJM0dLTkhTkOzzh4nwrq8l7UDRDdNZO8jYyvKpQA+grMNoTtc EhKa+nLKN9RyLLBj3gosXdrfpTiSk7VLVQiu65Hj/3Vddi5+cHJfko9Ksaz9/3xXR6F0 0+CUYzPGlx7m+PiSNU72/w+29Ke9mNG6p/knK4R/CAGrRje7mFu3GcraIEGnYcGg8mXl PYMaVOoDdlTC/yweyqCjCXAGvuGkL4EKshF0ME1j/1/lVA0yayeLkvRNc0OVbUi02/99 8L/g== X-Gm-Message-State: AODbwcA0AeeaK9VAS4/mr5XLrvZp9go4BRveqRgiv/Nskc79KEXTrLWr yQW7bWNotkl+vFiw X-Received: by 10.84.197.1 with SMTP id m1mr10341164pld.183.1494444293390; Wed, 10 May 2017 12:24:53 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 187sm6176155pgj.66.2017.05.10.12.24.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 May 2017 12:24:52 -0700 (PDT) Date: Wed, 10 May 2017 12:24:51 -0700 From: Kees Cook To: netdev@vger.kernel.org Cc: Joe Perches , Kalle Valo , libertas-dev@lists.infradead.org, linux-wireless@vger.kernel.org, Daniel Micay , linux-kernel@vger.kernel.org Subject: [PATCH] libertas: Avoid reading past end of buffer Message-ID: <20170510192451.GA115771@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Using memcpy() from a string that is shorter than the length copied means the destination buffer is being filled with arbitrary data from the kernel rodata segment. Instead, redefine the stat strings to be ETH_GSTRING_LEN sizes, like other drivers. This lets us use a single memcpy that does not leak rodata contents. Additionally adjust indentation to keep checkpatch.pl happy. This was found with the future CONFIG_FORTIFY_SOURCE feature. Cc: Daniel Micay Signed-off-by: Kees Cook --- v2: use ETH_GSTRING_LEN; joe --- drivers/net/wireless/marvell/libertas/mesh.c | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c index d0c881dd5846..6076c83ce5ab 100644 --- a/drivers/net/wireless/marvell/libertas/mesh.c +++ b/drivers/net/wireless/marvell/libertas/mesh.c @@ -1108,15 +1108,15 @@ void lbs_mesh_set_txpd(struct lbs_private *priv, * Ethtool related */ -static const char * const mesh_stat_strings[] = { - "drop_duplicate_bcast", - "drop_ttl_zero", - "drop_no_fwd_route", - "drop_no_buffers", - "fwded_unicast_cnt", - "fwded_bcast_cnt", - "drop_blind_table", - "tx_failed_cnt" +static const char mesh_stat_strings[MESH_STATS_NUM][ETH_GSTRING_LEN] = { + "drop_duplicate_bcast", + "drop_ttl_zero", + "drop_no_fwd_route", + "drop_no_buffers", + "fwded_unicast_cnt", + "fwded_bcast_cnt", + "drop_blind_table", + "tx_failed_cnt" }; void lbs_mesh_ethtool_get_stats(struct net_device *dev, @@ -1170,17 +1170,11 @@ int lbs_mesh_ethtool_get_sset_count(struct net_device *dev, int sset) void lbs_mesh_ethtool_get_strings(struct net_device *dev, uint32_t stringset, uint8_t *s) { - int i; - lbs_deb_enter(LBS_DEB_ETHTOOL); switch (stringset) { case ETH_SS_STATS: - for (i = 0; i < MESH_STATS_NUM; i++) { - memcpy(s + i * ETH_GSTRING_LEN, - mesh_stat_strings[i], - ETH_GSTRING_LEN); - } + memcpy(s, *mesh_stat_strings, sizeof(mesh_stat_strings)); break; } lbs_deb_enter(LBS_DEB_ETHTOOL);