* [PATCH net 0/2] net/smc: fix out of bound access in netlink interface
@ 2021-01-12 16:21 Karsten Graul
2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Karsten Graul @ 2021-01-12 16:21 UTC (permalink / raw)
To: David Miller, Jakub Kicinski
Cc: Heiko Carstens, Stefan Raspl, netdev, linux-s390
Please apply the following patch for smc to netdev's net tree.
Both patches fix possible out-of-bounds reads. The original code expected
that snprintf() reads len-1 bytes from source and appends the terminating
null, but actually snprintf() first copies len bytes and finally overwrites
the last byte with a null.
Fix this by using memcpy() and terminating the string afterwards.
Guvenc Gulce (1):
net/smc: use memcpy instead of snprintf to avoid out of bounds read
Jakub Kicinski (1):
smc: fix out of bound access in smc_nl_get_sys_info()
net/smc/smc_core.c | 20 +++++++++++++-------
net/smc/smc_ib.c | 6 +++---
net/smc/smc_ism.c | 3 ++-
3 files changed, 18 insertions(+), 11 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() 2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul @ 2021-01-12 16:21 ` Karsten Graul 2021-01-12 16:21 ` [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read Karsten Graul 2021-01-13 4:30 ` [PATCH net 0/2] net/smc: fix out of bound access in netlink interface patchwork-bot+netdevbpf 2 siblings, 0 replies; 4+ messages in thread From: Karsten Graul @ 2021-01-12 16:21 UTC (permalink / raw) To: David Miller, Jakub Kicinski Cc: Heiko Carstens, Stefan Raspl, netdev, linux-s390 From: Jakub Kicinski <kuba@kernel.org> smc_clc_get_hostname() sets the host pointer to a buffer which is not NULL-terminated (see smc_clc_init()). Reported-by: syzbot+f4708c391121cfc58396@syzkaller.appspotmail.com Fixes: 099b990bd11a ("net/smc: Add support for obtaining system information") Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Karsten Graul <kgraul@linux.ibm.com> --- net/smc/smc_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 59342b519e34..8d866b4ed8f6 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -246,7 +246,8 @@ int smc_nl_get_sys_info(struct sk_buff *skb, struct netlink_callback *cb) goto errattr; smc_clc_get_hostname(&host); if (host) { - snprintf(hostname, sizeof(hostname), "%s", host); + memcpy(hostname, host, SMC_MAX_HOSTNAME_LEN); + hostname[SMC_MAX_HOSTNAME_LEN] = 0; if (nla_put_string(skb, SMC_NLA_SYS_LOCAL_HOST, hostname)) goto errattr; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read 2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul 2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul @ 2021-01-12 16:21 ` Karsten Graul 2021-01-13 4:30 ` [PATCH net 0/2] net/smc: fix out of bound access in netlink interface patchwork-bot+netdevbpf 2 siblings, 0 replies; 4+ messages in thread From: Karsten Graul @ 2021-01-12 16:21 UTC (permalink / raw) To: David Miller, Jakub Kicinski Cc: Heiko Carstens, Stefan Raspl, netdev, linux-s390 From: Guvenc Gulce <guvenc@linux.ibm.com> Using snprintf() to convert not null-terminated strings to null terminated strings may cause out of bounds read in the source string. Therefore use memcpy() and terminate the target string with a null afterwards. Fixes: a3db10efcc4c ("net/smc: Add support for obtaining SMCR device list") Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com> Signed-off-by: Karsten Graul <kgraul@linux.ibm.com> --- net/smc/smc_core.c | 17 +++++++++++------ net/smc/smc_ib.c | 6 +++--- net/smc/smc_ism.c | 3 ++- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 8d866b4ed8f6..0df85a12651e 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -258,7 +258,8 @@ int smc_nl_get_sys_info(struct sk_buff *skb, struct netlink_callback *cb) smc_ism_get_system_eid(smcd_dev, &seid); mutex_unlock(&smcd_dev_list.mutex); if (seid && smc_ism_is_v2_capable()) { - snprintf(smc_seid, sizeof(smc_seid), "%s", seid); + memcpy(smc_seid, seid, SMC_MAX_EID_LEN); + smc_seid[SMC_MAX_EID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_SYS_SEID, smc_seid)) goto errattr; } @@ -296,7 +297,8 @@ static int smc_nl_fill_lgr(struct smc_link_group *lgr, goto errattr; if (nla_put_u8(skb, SMC_NLA_LGR_R_VLAN_ID, lgr->vlan_id)) goto errattr; - snprintf(smc_target, sizeof(smc_target), "%s", lgr->pnet_id); + memcpy(smc_target, lgr->pnet_id, SMC_MAX_PNETID_LEN); + smc_target[SMC_MAX_PNETID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_LGR_R_PNETID, smc_target)) goto errattr; @@ -313,7 +315,7 @@ static int smc_nl_fill_lgr_link(struct smc_link_group *lgr, struct sk_buff *skb, struct netlink_callback *cb) { - char smc_ibname[IB_DEVICE_NAME_MAX + 1]; + char smc_ibname[IB_DEVICE_NAME_MAX]; u8 smc_gid_target[41]; struct nlattr *attrs; u32 link_uid = 0; @@ -462,7 +464,8 @@ static int smc_nl_fill_smcd_lgr(struct smc_link_group *lgr, goto errattr; if (nla_put_u32(skb, SMC_NLA_LGR_D_CHID, smc_ism_get_chid(lgr->smcd))) goto errattr; - snprintf(smc_pnet, sizeof(smc_pnet), "%s", lgr->smcd->pnetid); + memcpy(smc_pnet, lgr->smcd->pnetid, SMC_MAX_PNETID_LEN); + smc_pnet[SMC_MAX_PNETID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_LGR_D_PNETID, smc_pnet)) goto errattr; @@ -475,10 +478,12 @@ static int smc_nl_fill_smcd_lgr(struct smc_link_group *lgr, goto errv2attr; if (nla_put_u8(skb, SMC_NLA_LGR_V2_OS, lgr->peer_os)) goto errv2attr; - snprintf(smc_host, sizeof(smc_host), "%s", lgr->peer_hostname); + memcpy(smc_host, lgr->peer_hostname, SMC_MAX_HOSTNAME_LEN); + smc_host[SMC_MAX_HOSTNAME_LEN] = 0; if (nla_put_string(skb, SMC_NLA_LGR_V2_PEER_HOST, smc_host)) goto errv2attr; - snprintf(smc_eid, sizeof(smc_eid), "%s", lgr->negotiated_eid); + memcpy(smc_eid, lgr->negotiated_eid, SMC_MAX_EID_LEN); + smc_eid[SMC_MAX_EID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_LGR_V2_NEG_EID, smc_eid)) goto errv2attr; diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c index ddd7fac98b1d..7d7ba0320d5a 100644 --- a/net/smc/smc_ib.c +++ b/net/smc/smc_ib.c @@ -371,8 +371,8 @@ static int smc_nl_handle_dev_port(struct sk_buff *skb, if (nla_put_u8(skb, SMC_NLA_DEV_PORT_PNET_USR, smcibdev->pnetid_by_user[port])) goto errattr; - snprintf(smc_pnet, sizeof(smc_pnet), "%s", - (char *)&smcibdev->pnetid[port]); + memcpy(smc_pnet, &smcibdev->pnetid[port], SMC_MAX_PNETID_LEN); + smc_pnet[SMC_MAX_PNETID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_DEV_PORT_PNETID, smc_pnet)) goto errattr; if (nla_put_u32(skb, SMC_NLA_DEV_PORT_NETDEV, @@ -414,7 +414,7 @@ static int smc_nl_handle_smcr_dev(struct smc_ib_device *smcibdev, struct sk_buff *skb, struct netlink_callback *cb) { - char smc_ibname[IB_DEVICE_NAME_MAX + 1]; + char smc_ibname[IB_DEVICE_NAME_MAX]; struct smc_pci_dev smc_pci_dev; struct pci_dev *pci_dev; unsigned char is_crit; diff --git a/net/smc/smc_ism.c b/net/smc/smc_ism.c index 524ef64a191a..9c6e95882553 100644 --- a/net/smc/smc_ism.c +++ b/net/smc/smc_ism.c @@ -250,7 +250,8 @@ static int smc_nl_handle_smcd_dev(struct smcd_dev *smcd, goto errattr; if (nla_put_u8(skb, SMC_NLA_DEV_PORT_PNET_USR, smcd->pnetid_by_user)) goto errportattr; - snprintf(smc_pnet, sizeof(smc_pnet), "%s", smcd->pnetid); + memcpy(smc_pnet, smcd->pnetid, SMC_MAX_PNETID_LEN); + smc_pnet[SMC_MAX_PNETID_LEN] = 0; if (nla_put_string(skb, SMC_NLA_DEV_PORT_PNETID, smc_pnet)) goto errportattr; -- 2.17.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net 0/2] net/smc: fix out of bound access in netlink interface 2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul 2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul 2021-01-12 16:21 ` [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read Karsten Graul @ 2021-01-13 4:30 ` patchwork-bot+netdevbpf 2 siblings, 0 replies; 4+ messages in thread From: patchwork-bot+netdevbpf @ 2021-01-13 4:30 UTC (permalink / raw) To: Karsten Graul; +Cc: davem, kuba, hca, raspl, netdev, linux-s390 Hello: This series was applied to netdev/net.git (refs/heads/master): On Tue, 12 Jan 2021 17:21:20 +0100 you wrote: > Please apply the following patch for smc to netdev's net tree. > > Both patches fix possible out-of-bounds reads. The original code expected > that snprintf() reads len-1 bytes from source and appends the terminating > null, but actually snprintf() first copies len bytes and finally overwrites > the last byte with a null. > Fix this by using memcpy() and terminating the string afterwards. > > [...] Here is the summary with links: - [net,1/2] smc: fix out of bound access in smc_nl_get_sys_info() https://git.kernel.org/netdev/net/c/25fe2c9c4cd2 - [net,2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read https://git.kernel.org/netdev/net/c/8a4465368964 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-13 4:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-01-12 16:21 [PATCH net 0/2] net/smc: fix out of bound access in netlink interface Karsten Graul 2021-01-12 16:21 ` [PATCH net 1/2] smc: fix out of bound access in smc_nl_get_sys_info() Karsten Graul 2021-01-12 16:21 ` [PATCH net 2/2] net/smc: use memcpy instead of snprintf to avoid out of bounds read Karsten Graul 2021-01-13 4:30 ` [PATCH net 0/2] net/smc: fix out of bound access in netlink interface patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox