Re: ethtool generate a buffer overflow in strlen

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jakub Kicinski <kuba@kernel.org>
To: Jules Maselbas <jmaselbas@kalray.eu>
Cc: Claudiu Manoil <claudiu.manoil@nxp.com>,
	"David S. Miller" <davem@davemloft.net>,
	netdev@vger.kernel.org
Subject: Re: ethtool generate a buffer overflow in strlen
Date: Fri, 22 Jul 2022 14:29:42 -0700	[thread overview]
Message-ID: <20220722142942.48f4332c@kernel.org> (raw)
In-Reply-To: <20220722173745.GB13990@tellis.lin.mbt.kalray.eu>

On Fri, 22 Jul 2022 19:37:46 +0200 Jules Maselbas wrote:
> There is suspicious lines in the file drivers/net/ethernet/freescale/enetc/enetc_ethtool.c:
>    { ENETC_PM0_R1523X, "MAC rx 1523 to max-octet packets" },
> and:
>    { ENETC_PM0_T1523X, "MAC tx 1523 to max-octet packets" },
> 
> Where the string length is actually greater than 32 bytes which is more
> than the reserved space for the name. This structure is defined as
> follow:
>     static const struct {
>         int reg;
>         char name[ETH_GSTRING_LEN];
>     } enetc_port_counters[] = { ...
> 
> In the function enetc_get_strings(), there is a strlcpy call on the
> counters names which in turns calls strlen on the src string, causing
> an out-of-bound read, at least out-of the string.
> 
> I am not sure that's what caused the BUG, as I don't really know how
> fortify works but I thinks this might only be visible when fortify is
> enabled.
> 
> I am not sure on how to fix this issue, maybe use `char *` instead of
> an byte array.

Thanks for the report!

I'd suggest to just delete the RMON stats in the unstructured API
in this driver and report them via
 
	ethtool -S eth0 --groups rmon

No point trying to figure out a way to make the old API more
resilient IMO when we have an alternative.

next prev parent reply	other threads:[~2022-07-22 21:29 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-22 17:37 ethtool generate a buffer overflow in strlen Jules Maselbas
2022-07-22 21:29 ` Jakub Kicinski [this message]
2022-07-25 12:20   ` Jules Maselbas
2022-07-25 12:26     ` Claudiu Manoil
2022-07-25 16:03       ` Jules Maselbas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220722142942.48f4332c@kernel.org \
    --to=kuba@kernel.org \
    --cc=claudiu.manoil@nxp.com \
    --cc=davem@davemloft.net \
    --cc=jmaselbas@kalray.eu \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.