From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
kernel test robot <lkp@intel.com>,
Ariel Elior <aelior@marvell.com>,
Sudarsana Kalluru <skalluru@marvell.com>,
Manish Chopra <manishc@marvell.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.8 03/68] bnx2x: Fix firmware version string character counts
Date: Fri, 29 Mar 2024 08:24:59 -0400 [thread overview]
Message-ID: <20240329122652.3082296-3-sashal@kernel.org> (raw)
In-Reply-To: <20240329122652.3082296-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 5642c82b9463c3263c086efb002516244bd4c668 ]
A potential string truncation was reported in bnx2x_fill_fw_str(),
when a long bp->fw_ver and a long phy_fw_ver might coexist, but seems
unlikely with real-world hardware.
Use scnprintf() to indicate the intent that truncations are tolerated.
While reading this code, I found a collection of various buffer size
counting issues. None looked like they might lead to a buffer overflow
with current code (the small buffers are 20 bytes and might only ever
consume 10 bytes twice with a trailing %NUL). However, early truncation
(due to a %NUL in the middle of the string) might be happening under
likely rare conditions. Regardless fix the formatters and related
functions:
- Switch from a separate strscpy() to just adding an additional "%s" to
the format string that immediately follows it in bnx2x_fill_fw_str().
- Use sizeof() universally instead of using unbound defines.
- Fix bnx2x_7101_format_ver() and bnx2x_null_format_ver() to report the
number of characters written, not including the trailing %NUL (as
already done with the other firmware formatting functions).
- Require space for at least 1 byte in bnx2x_get_ext_phy_fw_version()
for the trailing %NUL.
- Correct the needed buffer size in bnx2x_3_seq_format_ver().
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202401260858.jZN6vD1k-lkp@intel.com/
Cc: Ariel Elior <aelior@marvell.com>
Cc: Sudarsana Kalluru <skalluru@marvell.com>
Cc: Manish Chopra <manishc@marvell.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20240126041044.work.220-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 9 +++++----
.../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 14 +++++++-------
3 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index e9c1e1bb55806..528441b28c4ef 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -147,10 +147,11 @@ void bnx2x_fill_fw_str(struct bnx2x *bp, char *buf, size_t buf_len)
phy_fw_ver[0] = '\0';
bnx2x_get_ext_phy_fw_version(&bp->link_params,
- phy_fw_ver, PHY_FW_VER_LEN);
- strscpy(buf, bp->fw_ver, buf_len);
- snprintf(buf + strlen(bp->fw_ver), 32 - strlen(bp->fw_ver),
- "bc %d.%d.%d%s%s",
+ phy_fw_ver, sizeof(phy_fw_ver));
+ /* This may become truncated. */
+ scnprintf(buf, buf_len,
+ "%sbc %d.%d.%d%s%s",
+ bp->fw_ver,
(bp->common.bc_ver & 0xff0000) >> 16,
(bp->common.bc_ver & 0xff00) >> 8,
(bp->common.bc_ver & 0xff),
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
index 81d232e6d05fe..0bc7690cdee16 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
@@ -1132,7 +1132,7 @@ static void bnx2x_get_drvinfo(struct net_device *dev,
}
memset(version, 0, sizeof(version));
- bnx2x_fill_fw_str(bp, version, ETHTOOL_FWVERS_LEN);
+ bnx2x_fill_fw_str(bp, version, sizeof(version));
strlcat(info->fw_version, version, sizeof(info->fw_version));
strscpy(info->bus_info, pci_name(bp->pdev), sizeof(info->bus_info));
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
index 02808513ffe45..ea310057fe3af 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
@@ -6163,8 +6163,8 @@ static void bnx2x_link_int_ack(struct link_params *params,
static int bnx2x_null_format_ver(u32 spirom_ver, u8 *str, u16 *len)
{
- str[0] = '\0';
- (*len)--;
+ if (*len)
+ str[0] = '\0';
return 0;
}
@@ -6173,7 +6173,7 @@ static int bnx2x_format_ver(u32 num, u8 *str, u16 *len)
u16 ret;
if (*len < 10) {
- /* Need more than 10chars for this format */
+ /* Need more than 10 chars for this format */
bnx2x_null_format_ver(num, str, len);
return -EINVAL;
}
@@ -6188,8 +6188,8 @@ static int bnx2x_3_seq_format_ver(u32 num, u8 *str, u16 *len)
{
u16 ret;
- if (*len < 10) {
- /* Need more than 10chars for this format */
+ if (*len < 9) {
+ /* Need more than 9 chars for this format */
bnx2x_null_format_ver(num, str, len);
return -EINVAL;
}
@@ -6208,7 +6208,7 @@ int bnx2x_get_ext_phy_fw_version(struct link_params *params, u8 *version,
int status = 0;
u8 *ver_p = version;
u16 remain_len = len;
- if (version == NULL || params == NULL)
+ if (version == NULL || params == NULL || len == 0)
return -EINVAL;
bp = params->bp;
@@ -11546,7 +11546,7 @@ static int bnx2x_7101_format_ver(u32 spirom_ver, u8 *str, u16 *len)
str[2] = (spirom_ver & 0xFF0000) >> 16;
str[3] = (spirom_ver & 0xFF000000) >> 24;
str[4] = '\0';
- *len -= 5;
+ *len -= 4;
return 0;
}
--
2.43.0
next prev parent reply other threads:[~2024-03-29 12:26 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 12:24 [PATCH AUTOSEL 6.8 01/68] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
2024-03-29 12:24 ` [PATCH AUTOSEL 6.8 02/68] wifi: rtw89: fix null pointer access when abort scan Sasha Levin
2024-03-29 12:24 ` Sasha Levin [this message]
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 04/68] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 05/68] batman-adv: Improve exception handling in batadv_throw_uevent() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 06/68] arm64: dts: qcom: Add support for Xiaomi Redmi Note 9S Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 07/68] net: stmmac: dwmac-starfive: Add support for JH7100 SoC Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 08/68] net: phy: phy_device: Prevent nullptr exceptions on ISR Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 09/68] wifi: rtw89: pci: validate RX tag for RXQ and RPQ Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 10/68] wifi: rtw89: pci: enlarge RX DMA buffer to consider size of RX descriptor Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 11/68] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 12/68] wifi: iwlwifi: pcie: Add the PCI device id for new hardware Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 13/68] arm64: dts: qcom: qcm6490-idp: Add definition for three LEDs Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 14/68] net: dsa: qca8k: put MDIO controller OF node if unavailable Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 15/68] arm64: dts: ti: Makefile: Add HDMI audio check for AM62A7-SK Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 16/68] arm64: dts: qcom: qrb2210-rb1: disable cluster power domains Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 17/68] printk: For @suppress_panic_printk check for other CPU in panic Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 18/68] printk: Add this_cpu_in_panic() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 19/68] printk: Avoid non-panic CPUs writing to ringbuffer Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 20/68] panic: Flush kernel log buffer at the end Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 21/68] dump_stack: Do not get cpu_sync for panic CPU Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 22/68] wifi: iwlwifi: pcie: Add new PCI device id and CNVI Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 23/68] cpuidle: Avoid potential overflow in integer multiplication Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 24/68] ARM: dts: rockchip: fix rk3288 hdmi ports node Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 25/68] ARM: dts: rockchip: fix rk322x " Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 26/68] arm64: dts: rockchip: fix rk3328 " Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 27/68] arm64: dts: rockchip: fix rk3399 " Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 28/68] net: add netdev_lockdep_set_classes() to virtual drivers Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 29/68] arm64: dts: qcom: qcs6490-rb3gen2: Declare GCC clocks protected Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 30/68] pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 31/68] pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 32/68] arm64: dts: sc8280xp: correct DMIC2 and DMIC3 pin config node names Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 33/68] arm64: dts: sm8450: " Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 34/68] arm64: dts: sm8550: " Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 35/68] arm64: dts: sm8650: " Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 36/68] ACPI: resource: Add IRQ override quirk for ASUS ExpertBook B2502FBA Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 37/68] ionic: set adminq irq affinity Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 38/68] net: skbuff: add overflow debug check to pull/push helpers Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 39/68] net: mdio: mdio-bcm-unimac: Manage clock around I/O accesses Sasha Levin
2024-04-02 12:41 ` Florian Fainelli
2024-04-07 23:37 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 40/68] firmware: tegra: bpmp: Return directly after a failed kzalloc() in get_filename() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 41/68] wifi: brcmfmac: Add DMI nvram filename quirk for ACEPC W5 Pro Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 42/68] wifi: mt76: mt7915: add locking for accessing mapped registers Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 43/68] wifi: mt76: mt7996: disable AMSDU for non-data frames Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 44/68] wifi: mt76: mt7996: add locking for accessing mapped registers Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 45/68] ACPI: x86: Move acpi_quirk_skip_serdev_enumeration() out of CONFIG_X86_ANDROID_TABLETS Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 46/68] ACPI: x86: Add DELL0501 handling to acpi_quirk_skip_serdev_enumeration() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 47/68] pstore/zone: Add a null pointer check to the psz_kmsg_read Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 48/68] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 49/68] net: pcs: xpcs: Return EINVAL in the internal methods Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 50/68] dma-direct: Leak pages on dma_set_decrypted() failure Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 51/68] wifi: ath11k: decrease MHI channel buffer length to 8KB Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 52/68] iommu/arm-smmu-v3: Hold arm_smmu_asid_lock during all of attach_dev Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 53/68] sparc: vdso: Disable UBSAN instrumentation Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 54/68] cpufreq: Don't unregister cpufreq cooling on CPU hotplug Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 55/68] overflow: Allow non-type arg to type_max() and type_min() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 56/68] sh: Fix build with CONFIG_UBSAN=y Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 57/68] wifi: iwlwifi: Add missing MODULE_FIRMWARE() for *.pnvm Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 58/68] wifi: cfg80211: check A-MSDU format more carefully Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 59/68] btrfs: preallocate temporary extent buffer for inode logging when needed Sasha Levin
2024-04-02 13:35 ` David Sterba
2024-04-03 0:33 ` Sasha Levin
2024-04-04 18:58 ` David Sterba
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 60/68] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 61/68] btrfs: export: handle invalid inode or root reference in btrfs_get_parent() Sasha Levin
2024-03-29 12:25 ` [PATCH AUTOSEL 6.8 62/68] btrfs: send: handle path ref underflow in header iterate_inode_ref() Sasha Levin
2024-03-29 12:25 ` [Intel-wired-lan] [PATCH AUTOSEL 6.8 63/68] ice: use relative VSI index for VFs instead of PF VSI number Sasha Levin
2024-03-29 12:25 ` Sasha Levin
2024-03-29 12:26 ` [PATCH AUTOSEL 6.8 64/68] net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() Sasha Levin
2024-03-29 12:26 ` [PATCH AUTOSEL 6.8 65/68] netdev: let netlink core handle -EMSGSIZE errors Sasha Levin
2024-03-29 12:26 ` [PATCH AUTOSEL 6.8 66/68] Bluetooth: btintel: Fix null ptr deref in btintel_read_version Sasha Levin
2024-03-29 12:26 ` [PATCH AUTOSEL 6.8 67/68] Bluetooth: btmtk: Add MODULE_FIRMWARE() for MT7922 Sasha Levin
2024-03-29 12:26 ` Sasha Levin
2024-03-29 12:26 ` [PATCH AUTOSEL 6.8 68/68] Bluetooth: Add new quirk for broken read key length on ATS2851 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240329122652.3082296-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aelior@marvell.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=manishc@marvell.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=skalluru@marvell.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.