From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936249Ab3DKVAQ (ORCPT ); Thu, 11 Apr 2013 17:00:16 -0400 Received: from hrndva-omtalb.mail.rr.com ([71.74.56.122]:22974 "EHLO hrndva-omtalb.mail.rr.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935782Ab3DKUtV (ORCPT ); Thu, 11 Apr 2013 16:49:21 -0400 X-Authority-Analysis: v=2.0 cv=F+XVh9dN c=1 sm=0 a=rXTBtCOcEpjy1lPqhTCpEQ==:17 a=mNMOxpOpBa8A:10 a=Ciwy3NGCPMMA:10 a=j2ptps97zMIA:10 a=5SG0PmZfjMsA:10 a=bbbx4UPp9XUA:10 a=meVymXHHAAAA:8 a=VQemytC88AwA:10 a=cm27Pg_UAAAA:8 a=ly4GnlEHAAAA:8 a=yhrCHVGPAAAA:8 a=XxtmG6sFAAAA:8 a=VwQbUJbxAAAA:8 a=Q-fNiiVtAAAA:8 a=J1Y8HTJGAAAA:8 a=jmWCE8W1go-RpaolMxwA:9 a=zv9_9hqRWm8A:10 a=Cz1Weup6jC4A:10 a=NuBSTLBdITsA:10 a=lcTMV_K9oDIA:10 a=4N9Db7Z2_RYA:10 a=jeBq3FmKZ4MA:10 a=ukxwOKhn53AoUMWD:21 a=RtSyyvgh180VEUmH:21 a=rXTBtCOcEpjy1lPqhTCpEQ==:117 X-Cloudmark-Score: 0 X-Authenticated-User: X-Originating-IP: 74.67.115.198 Message-Id: <20130411202601.090087978@goodmis.org> User-Agent: quilt/0.60-1 Date: Thu, 11 Apr 2013 16:26:34 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Kees Cook , Oded Horovitz , Brad Spengler , Matt Carlson , "David S. Miller" Subject: [ 091/171 ] tg3: fix length overflow in VPD firmware parsing References: <20130411202503.783159048@goodmis.org> Content-Disposition: inline; filename=0091-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.6.11.2 stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook [ Upstream commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 ] Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version when present") introduced VPD parsing that contained a potential length overflow. Limit the hardware's reported firmware string length (max 255 bytes) to stay inside the driver's firmware string length (32 bytes). On overflow, truncate the formatted firmware string instead of potentially overwriting portions of the tg3 struct. http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf Signed-off-by: Kees Cook Reported-by: Oded Horovitz Reported-by: Brad Spengler Cc: stable@vger.kernel.org Cc: Matt Carlson Signed-off-by: David S. Miller Signed-off-by: Steven Rostedt --- drivers/net/ethernet/broadcom/tg3.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c index fdb4c52..440e963 100644 --- a/drivers/net/ethernet/broadcom/tg3.c +++ b/drivers/net/ethernet/broadcom/tg3.c @@ -13867,8 +13867,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp) if (j + len > block_end) goto partno; - memcpy(tp->fw_ver, &vpd_data[j], len); - strncat(tp->fw_ver, " bc ", vpdlen - len - 1); + if (len >= sizeof(tp->fw_ver)) + len = sizeof(tp->fw_ver) - 1; + memset(tp->fw_ver, 0, sizeof(tp->fw_ver)); + snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len, + &vpd_data[j]); } partno: -- 1.7.10.4