From patchwork Wed Aug 23 13:59:49 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 110838 Delivered-To: patch@linaro.org Received: by 10.140.95.78 with SMTP id h72csp4167848qge; Wed, 23 Aug 2017 07:00:27 -0700 (PDT) X-Received: by 10.84.215.204 with SMTP id g12mr3106455plj.410.1503496827662; Wed, 23 Aug 2017 07:00:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503496827; cv=none; d=google.com; s=arc-20160816; b=K0WLKWE5JEo6dm6FRA6Zf54wTWGWoG54dOlrzF0mA09sXdOVwBtI3KYm9rZGGvp2bg 3BMNkRE0eZL3VNwytM1wTGEdxzgoNNZlBIRa2WS1V4AOdiLmjTXlW6SWOCalx2Zmqkdx ZpC2A456I0CIRDNMm2XABhY4cmaa9IxMqYMORLdJLij5rq6Y4do1+DtrcCR3b+ZT82Lb Nh7+rAf15gOzTdclilSFwsCoOeFVBq6Y+TZV+Jnin+hyYh5SrgyiDm49rtqCFeY6REH8 7bf9b9/ImYXQM2CxYgnctFgnIghfwhXh3lhsvGToYPHXXye7NYuPnSKgMZKOl4UBzW3h NM8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=NLePcvdC9oseudn5MtsH+wXwzkL2TGLj7Ma1WBg9API=; b=FLyz+s9NNzdsTKFyOI3Sr81FYq77jWsLTaU7DgojnyBmFjB5G5ViRBkOgMtasWIt8t tLgYTHTmLEXo08Yv4jNgVFhY3ckjxG8MrvMRLWTPMU3+jcTRCuf5/2bocwuXEa3W6xRG zYDp5eTTlKLaUye1eSxUXao+xcG0kFXiJnZZ0zI4lcYpmA6JpyoMUXXHiPh4Qj5W5SYT CY2eWUy1d81+McDD9XOI/P3z3ZrNixeztUFfVJBwTJOoiqnPMj7/4gEVI/Rg9ridKpxQ 3v0FNJVxW2LJRGBtD8UFGpA0flNjwOEBQBE23Nvb9EjDSTwVOctJVXSl5/35EK6uPLP/ myAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h1si444453plh.428.2017.08.23.07.00.27; Wed, 23 Aug 2017 07:00:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754068AbdHWOA0 (ORCPT + 6 others); Wed, 23 Aug 2017 10:00:26 -0400 Received: from mout.kundenserver.de ([212.227.17.13]:59208 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754001AbdHWOAZ (ORCPT ); Wed, 23 Aug 2017 10:00:25 -0400 Received: from wuerfel.lan ([95.208.190.237]) by mrelayeu.kundenserver.de (mreue104 [212.227.15.145]) with ESMTPA (Nemesis) id 0M6lu8-1dNNBO3eom-00wZ40; Wed, 23 Aug 2017 16:00:03 +0200 From: Arnd Bergmann To: Harish Patil , Manish Chopra , Dept-GELinuxNICDev@cavium.com Cc: Arnd Bergmann , stable@vger.kernel.org, "David S. Miller" , Kees Cook , "Gustavo A. R. Silva" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] [net-next] qlge: avoid memcpy buffer overflow Date: Wed, 23 Aug 2017 15:59:49 +0200 Message-Id: <20170823135958.1379527-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:TU1e+L20TrqTTjlcHJ0VEJDTGH+ZBqzEf7AsD6pUd3GUsohD5jK MFqU9dw8SIKM1nobq9uR49wBBWs1aYD+51D4J0vSjPP72RB4Zn81+H3FP7uPj5s1f6wdXeU gg17PyV+21pcIwC2rLhm8DiN07NG8N0Rrc1hr/TFE9jiWME4fBjVmePLZE7P1bVGhGI3ZM9 SQGwJHgafFQUMApVdJgQw== X-UI-Out-Filterresults: notjunk:1; V01:K0:Wh1sPM98ALM=:Keb4z8fgYF3r7+o1bK7MHf USmcvnWtHWsb2AQmmEYLlSK2x0Dn+Q+V3jyqfDErWnDkcQSmtmgrBPeWoeFq49SsDmeQsCDXT 4h/osBC5pe46nkHUTeRdUIg2YT56F8kHvk/J4gqb2uE5CTaxEe7bi5PykMH06EWEaCltT5bBo Fg48wCuzJX9H/MbeIsp1X2DXOFXu+4NgoyASyMpu5teJzt8Wg25ia/CMD5zGeEf2KsO95//J4 9ttrNxodnRbL5JBpe/oJ3uzUfffQjSehLUk3USKGAtf5NoCHbaK2l16R4BE11M7BYvbBjnxB9 hgxoL7c99+MPL6CYduGwxt8q9VxB7NU+Twy+YhMgVX0O3CZ6RAaqKv9wjpXGe6IWtckuiyR6L E371Ih5X+svd2Z359rBUtW0Li2GBoHLuDzI6+ws9GoDo72kE2rYv8GwNDjO8R69AfiSd/NAFX FD6tMfnWRku2mT67Rlf1WL6IY/NDitA0Tjlj3+TrWL7GQrMyYvLujaHGL1ErQGcznTn9z7qt8 sfmMRYilA9A55tMez2RUhjjSyohllfzVgf7+3bBQdnfLE3Xg+a+5PXRqPY5gbveng8karAdcl wDirNVidZ0d+t2FlPUY2Q+KuUQnUtKxQ5hXNqZKTBh2u97hpRIwLec4zAvfl+0G/7aXpc0X3Q m2oEM00PY+890tq7GfFkayQeql4r1hzG4OKCO31XLwQnLRkWcr8FugqYgsoFb2vluUrrstHBn 2A4qoScbpwUw9+0/A0ZtqTqdA9s50Xde7Soewg== Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org gcc-8.0.0 (snapshot) points out that we copy a variable-length string into a fixed length field using memcpy() with the destination length, and that ends up copying whatever follows the string: inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2: drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=] memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); Changing it to use strncpy() will instead zero-pad the destination, which seems to be the right thing to do here. The bug is probably harmless, but it seems like a good idea to address it in stable kernels as well, if only for the purpose of building with gcc-8 without warnings. Cc: stable@vger.kernel.org Fixes: a61f80261306 ("qlge: Add ethtool register dump function.") Signed-off-by: Arnd Bergmann --- Doesn't seem urgent to me, so please queue it for net-next if it looks ok. Interestingly, the hardened memcpy() functions in linux/string.h never caught this problem event though I think they should have, but gcc-8 found it by default. --- drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c index 458d55ba423f..fe2599b83d09 100644 --- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c +++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c @@ -705,7 +705,7 @@ static void ql_build_coredump_seg_header( seg_hdr->cookie = MPI_COREDUMP_COOKIE; seg_hdr->segNum = seg_number; seg_hdr->segSize = seg_size; - memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); + strncpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); } /*