| Message ID | 20180202151849.808610-1-arnd@arndb.de |
|---|---|
| State | New |
| Headers | show |
| Series | net: cxgb4: avoid memcpy beyond end of source buffer | expand |
From: Arnd Bergmann > Sent: 02 February 2018 15:19 > > Building with link-time-optimizations revealed that the cxgb4 driver does > a fixed-size memcpy() from a variable-length constant string into the > network interface name: ... > I can see two equally workable solutions: either we use a strncpy() instead > of the memcpy() to stop at the end of the input, or we make the source buffer > fixed length as well. This implements the latter. > > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h > b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h > index 1d37672902da..a14e8db51cdc 100644 > --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h > +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h > @@ -355,7 +355,7 @@ struct cxgb4_lld_info { > }; > > struct cxgb4_uld_info { > - const char *name; > + char name[IFNAMSIZ]; > void *handle; > unsigned int nrxq; > unsigned int rxq_size; > -- > 2.9.0 Surely there is another part to this patch? David
From: Arnd Bergmann <arnd@arndb.de> Date: Fri, 2 Feb 2018 16:18:37 +0100 > Building with link-time-optimizations revealed that the cxgb4 driver does > a fixed-size memcpy() from a variable-length constant string into the > network interface name: > > In function 'memcpy', > inlined from 'cfg_queues_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:335:2, > inlined from 'cxgb4_register_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:719:9: > include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter > __read_overflow2(); > ^ > > I can see two equally workable solutions: either we use a strncpy() instead > of the memcpy() to stop at the end of the input, or we make the source buffer > fixed length as well. This implements the latter. > > Signed-off-by: Arnd Bergmann <arnd@arndb.de> Not the most pleasant thing in the world, but I can't think of a better solution. > @@ -355,7 +355,7 @@ struct cxgb4_lld_info { > }; > > struct cxgb4_uld_info { > - const char *name; > + char name[IFNAMSIZ]; > void *handle; > unsigned int nrxq; > unsigned int rxq_size; David Laight asked how this can be the sole part of the patch. All of these structures are initialized like: static struct cxgb4_uld_info { .name = "foo", ... }; So changing from "const char *" to "char []" just works.
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h index 1d37672902da..a14e8db51cdc 100644 --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h @@ -355,7 +355,7 @@ struct cxgb4_lld_info { }; struct cxgb4_uld_info { - const char *name; + char name[IFNAMSIZ]; void *handle; unsigned int nrxq; unsigned int rxq_size;
Building with link-time-optimizations revealed that the cxgb4 driver does a fixed-size memcpy() from a variable-length constant string into the network interface name: In function 'memcpy', inlined from 'cfg_queues_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:335:2, inlined from 'cxgb4_register_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:719:9: include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter __read_overflow2(); ^ I can see two equally workable solutions: either we use a strncpy() instead of the memcpy() to stop at the end of the input, or we make the source buffer fixed length as well. This implements the latter. Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0