From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Daniel Axtens <dja@axtens.net>,
"Igor M. Liplianin" <liplianin@netup.ru>,
Kees Cook <keescook@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.5 25/41] altera-stapl: altera_get_note: prevent write beyond end of 'key'
Date: Sun, 15 Mar 2020 22:33:03 -0400 [thread overview]
Message-ID: <20200316023319.749-25-sashal@kernel.org> (raw)
In-Reply-To: <20200316023319.749-1-sashal@kernel.org>
From: Daniel Axtens <dja@axtens.net>
[ Upstream commit 3745488e9d599916a0b40d45d3f30e3d4720288e ]
altera_get_note is called from altera_init, where key is kzalloc(33).
When the allocation functions are annotated to allow the compiler to see
the sizes of objects, and with FORTIFY_SOURCE, we see:
In file included from drivers/misc/altera-stapl/altera.c:14:0:
In function ‘strlcpy’,
inlined from ‘altera_init’ at drivers/misc/altera-stapl/altera.c:2189:5:
include/linux/string.h:378:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
__write_overflow();
^~~~~~~~~~~~~~~~~~
That refers to this code in altera_get_note:
if (key != NULL)
strlcpy(key, &p[note_strings +
get_unaligned_be32(
&p[note_table + (8 * i)])],
length);
The error triggers because the length of 'key' is 33, but the copy
uses length supplied as the 'length' parameter, which is always
256. Split the size parameter into key_len and val_len, and use the
appropriate length depending on what is being copied.
Detected by compiler error, only compile-tested.
Cc: "Igor M. Liplianin" <liplianin@netup.ru>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Link: https://lore.kernel.org/r/20200120074344.504-2-dja@axtens.net
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/202002251042.D898E67AC@keescook
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/altera-stapl/altera.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/misc/altera-stapl/altera.c b/drivers/misc/altera-stapl/altera.c
index 25e5f24b3fecd..5bdf574723144 100644
--- a/drivers/misc/altera-stapl/altera.c
+++ b/drivers/misc/altera-stapl/altera.c
@@ -2112,8 +2112,8 @@ static int altera_execute(struct altera_state *astate,
return status;
}
-static int altera_get_note(u8 *p, s32 program_size,
- s32 *offset, char *key, char *value, int length)
+static int altera_get_note(u8 *p, s32 program_size, s32 *offset,
+ char *key, char *value, int keylen, int vallen)
/*
* Gets key and value of NOTE fields in the JBC file.
* Can be called in two modes: if offset pointer is NULL,
@@ -2170,7 +2170,7 @@ static int altera_get_note(u8 *p, s32 program_size,
&p[note_table + (8 * i) + 4])];
if (value != NULL)
- strlcpy(value, value_ptr, length);
+ strlcpy(value, value_ptr, vallen);
}
}
@@ -2189,13 +2189,13 @@ static int altera_get_note(u8 *p, s32 program_size,
strlcpy(key, &p[note_strings +
get_unaligned_be32(
&p[note_table + (8 * i)])],
- length);
+ keylen);
if (value != NULL)
strlcpy(value, &p[note_strings +
get_unaligned_be32(
&p[note_table + (8 * i) + 4])],
- length);
+ vallen);
*offset = i + 1;
}
@@ -2449,7 +2449,7 @@ int altera_init(struct altera_config *config, const struct firmware *fw)
__func__, (format_version == 2) ? "Jam STAPL" :
"pre-standardized Jam 1.1");
while (altera_get_note((u8 *)fw->data, fw->size,
- &offset, key, value, 256) == 0)
+ &offset, key, value, 32, 256) == 0)
printk(KERN_INFO "%s: NOTE \"%s\" = \"%s\"\n",
__func__, key, value);
}
--
2.20.1
next prev parent reply other threads:[~2020-03-16 2:41 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-16 2:32 [PATCH AUTOSEL 5.5 01/41] spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 02/41] spi: spi-omap2-mcspi: Support probe deferral for DMA channels Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 03/41] drm/mediatek: Find the cursor plane instead of hard coding it Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 04/41] drm/mediatek: Ensure the cursor plane is on top of other overlays Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 05/41] ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 7:21 ` Johan Hovold
2020-03-16 7:21 ` Johan Hovold
2020-03-22 12:54 ` Sasha Levin
2020-03-22 12:54 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 06/41] phy: ti: gmii-sel: fix set of copy-paste errors Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 07/41] phy: ti: gmii-sel: do not fail in case of gmii Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 08/41] ARM: dts: dra7-l4: mark timer13-16 as pwm capable Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 09/41] ASoC: meson: g12a: add tohdmitx reset Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 10/41] spi: qup: call spi_qup_pm_resume_runtime before suspending Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 11/41] powerpc: Include .BTF section Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 12/41] cifs: fix potential mismatch of UNC paths Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 13/41] cifs: add missing mount option to /proc/mounts Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 14/41] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 15/41] spi: pxa2xx: Add CS control clock quirk Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 16/41] spi/zynqmp: remove entry that causes a cs glitch Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 17/41] ARM: dts: bcm283x: Add missing properties to the PWR LED Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 18/41] drm/exynos: dsi: propagate error value and silence meaningless warning Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 19/41] drm/exynos: dsi: fix workaround for the legacy clock name Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 20/41] drm/exynos: hdmi: don't leak enable HDMI_EN regulator if probe fails Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 21/41] drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition Sasha Levin
2020-03-16 2:32 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 22/41] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 23/41] io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 24/41] ARM: bcm2835_defconfig: Explicitly restore CONFIG_DEBUG_FS Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` Sasha Levin [this message]
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 26/41] dm bio record: save/restore bi_end_io and bi_integrity Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 27/41] dm integrity: use dm_bio_record and dm_bio_restore Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 28/41] riscv: avoid the PIC offset of static percpu data in module beyond 2G limits Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 29/41] ASoC: stm32: sai: manage rebind issue Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 30/41] spi: spi_register_controller(): free bus id on error paths Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 31/41] riscv: Force flat memory model with no-mmu Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 32/41] riscv: Fix range looking for kernel image memblock Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 33/41] drm/amdgpu: clean wptr on wb when gpu recovery Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 34/41] drm/amd/display: Clear link settings on MST disable connector Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 35/41] drm/amd/display: fix dcc swath size calculations on dcn1 Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [Xen-devel] [PATCH AUTOSEL 5.5 36/41] xenbus: req->body should be updated before req->state Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [Xen-devel] [PATCH AUTOSEL 5.5 37/41] xenbus: req->err " Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 38/41] riscv: fix seccomp reject syscall code path Sasha Levin
2020-03-16 2:33 ` Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 39/41] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 40/41] parse-maintainers: Mark as executable Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 41/41] io_uring: fix lockup with timeouts Sasha Levin
[not found] ` <20200316023319.749-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2020-03-16 11:50 ` [PATCH AUTOSEL 5.5 01/41] spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x Mark Brown
2020-03-16 11:50 ` Mark Brown
[not found] ` <20200316115057.GB5010-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2020-03-22 19:37 ` Sasha Levin
2020-03-22 19:37 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200316023319.749-25-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dja@axtens.net \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liplianin@netup.ru \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.