From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Oded Horovitz <oded@privatecore.com>,
Brad Spengler <spender@grsecurity.net>,
Matt Carlson <mcarlson@broadcom.com>,
"David S. Miller" <davem@davemloft.net>,
Jeff Mahoney <jeffm@suse.com>, Jiri Slaby <jslaby@suse.cz>
Subject: [ 38/39] tg3: fix length overflow in VPD firmware parsing
Date: Fri, 11 Oct 2013 12:35:22 -0700 [thread overview]
Message-ID: <20131011193215.005574788@linuxfoundation.org> (raw)
In-Reply-To: <20131011193210.843963685@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
when present") introduced VPD parsing that contained a potential length
overflow.
Limit the hardware's reported firmware string length (max 255 bytes) to
stay inside the driver's firmware string length (32 bytes). On overflow,
truncate the formatted firmware string instead of potentially overwriting
portions of the tg3 struct.
http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
-js: This fixes CVE-2013-1929.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Oded Horovitz <oded@privatecore.com>
Reported-by: Brad Spengler <spender@grsecurity.net>
Cc: stable@vger.kernel.org
Cc: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tg3.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -13067,8 +13067,11 @@ static void __devinit tg3_read_vpd(struc
if (j + len > block_end)
goto partno;
- memcpy(tp->fw_ver, &vpd_data[j], len);
- strncat(tp->fw_ver, " bc ", TG3_NVM_VPD_LEN - len - 1);
+ if (len >= sizeof(tp->fw_ver))
+ len = sizeof(tp->fw_ver) - 1;
+ memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
+ snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
+ &vpd_data[j]);
}
partno:
next prev parent reply other threads:[~2013-10-11 19:36 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 19:34 [ 00/39] 3.0.100-stable review Greg Kroah-Hartman
2013-10-11 19:34 ` [ 01/39] intel-iommu: Fix leaks in pagetable freeing Greg Kroah-Hartman
2013-10-11 19:34 ` [ 02/39] cpqarray: fix info leak in ida_locked_ioctl() Greg Kroah-Hartman
2013-10-11 19:34 ` [ 03/39] cciss: fix info leak in cciss_ioctl32_passthru() Greg Kroah-Hartman
2013-10-11 19:34 ` [ 04/39] caif: Add missing braces to multiline if in cfctrl_linkup_request Greg Kroah-Hartman
2013-10-11 19:34 ` [ 05/39] netpoll: fix NULL pointer dereference in netpoll_cleanup Greg Kroah-Hartman
2013-10-11 19:34 ` [ 06/39] net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Greg Kroah-Hartman
2013-10-11 19:34 ` [ 07/39] resubmit bridge: fix message_age_timer calculation Greg Kroah-Hartman
2013-10-11 19:34 ` [ 08/39] bridge: Clamp forward_delay when enabling STP Greg Kroah-Hartman
2013-10-11 19:34 ` [ 09/39] ip: generate unique IP identificator if local fragmentation is allowed Greg Kroah-Hartman
2013-10-11 19:34 ` [ 10/39] ipv6 mcast: use in6_dev_put in timer handlers instead of __in6_dev_put Greg Kroah-Hartman
2013-10-11 19:34 ` [ 11/39] ipv4 igmp: use in_dev_put in timer handlers instead of __in_dev_put Greg Kroah-Hartman
2013-10-11 19:34 ` [ 12/39] ipv6: udp packets following an UFO enqueued packet need also be handled by UFO Greg Kroah-Hartman
2013-10-11 19:34 ` [ 13/39] via-rhine: fix VLAN priority field (PCP, IEEE 802.1p) Greg Kroah-Hartman
2013-10-11 19:34 ` [ 14/39] dm9601: fix IFF_ALLMULTI handling Greg Kroah-Hartman
2013-10-11 19:34 ` [ 15/39] bonding: Fix broken promiscuity reference counting issue Greg Kroah-Hartman
2013-10-11 19:35 ` [ 16/39] ll_temac: Reset dma descriptors indexes on ndo_open Greg Kroah-Hartman
2013-10-11 19:35 ` [ 17/39] ASoC: max98095: a couple array underflows Greg Kroah-Hartman
2013-10-11 19:35 ` [ 18/39] ASoC: 88pm860x: array overflow in snd_soc_put_volsw_2r_st() Greg Kroah-Hartman
2013-10-11 19:35 ` [ 19/39] powerpc/iommu: Use GFP_KERNEL instead of GFP_ATOMIC in iommu_init_table() Greg Kroah-Hartman
2013-10-11 19:35 ` [ 20/39] powerpc/vio: Fix modalias_show return values Greg Kroah-Hartman
2013-10-11 19:35 ` [ 21/39] powerpc: Fix parameter clobber in csum_partial_copy_generic() Greg Kroah-Hartman
2013-10-11 19:35 ` [ 22/39] powerpc: Restore registers on error exit from csum_partial_copy_generic() Greg Kroah-Hartman
2013-10-11 19:35 ` [ 23/39] esp_scsi: Fix tag state corruption when autosensing Greg Kroah-Hartman
2013-10-11 19:35 ` [ 24/39] sparc64: Fix ITLB handler of null page Greg Kroah-Hartman
2013-10-11 19:35 ` [ 25/39] sparc64: Remove RWSEM export leftovers Greg Kroah-Hartman
2013-10-11 19:35 ` [ 26/39] sparc64: Fix off by one in trampoline TLB mapping installation loop Greg Kroah-Hartman
2013-10-11 19:35 ` [ 27/39] sparc64: Fix not SRAed %o5 in 32-bit traced syscall Greg Kroah-Hartman
2013-10-11 19:35 ` [ 28/39] sparc32: Fix exit flag passed from traced sys_sigreturn Greg Kroah-Hartman
2013-10-11 19:35 ` [ 29/39] kernel/kmod.c: check for NULL in call_usermodehelper_exec() Greg Kroah-Hartman
2013-10-11 22:36 ` Tetsuo Handa
2013-10-11 19:35 ` [ 30/39] USB: serial: option: Ignore card reader interface on Huawei E1750 Greg Kroah-Hartman
2013-10-11 19:35 ` [ 31/39] rtlwifi: Align private space in rtl_priv struct Greg Kroah-Hartman
2013-10-11 19:35 ` [ 32/39] p54usb: add USB ID for Corega WLUSB2GTST USB adapter Greg Kroah-Hartman
2013-10-11 19:35 ` [ 33/39] staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice Greg Kroah-Hartman
2013-10-11 19:35 ` [ 34/39] ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler() Greg Kroah-Hartman
2013-10-11 19:35 ` [ 35/39] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT Greg Kroah-Hartman
2013-10-11 19:35 ` [ 36/39] Btrfs: change how we queue blocks for backref checking Greg Kroah-Hartman
2013-10-11 19:35 ` [ 37/39] ext4: avoid hang when mounting non-journal filesystems with orphan list Greg Kroah-Hartman
2013-10-11 19:35 ` Greg Kroah-Hartman [this message]
2013-10-11 19:35 ` [ 39/39] Tools: hv: verify origin of netlink connector message Greg Kroah-Hartman
2013-10-11 22:14 ` [ 00/39] 3.0.100-stable review Greg Kroah-Hartman
2013-10-12 0:52 ` Guenter Roeck
2013-10-13 16:04 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131011193215.005574788@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jeffm@suse.com \
--cc=jslaby@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcarlson@broadcom.com \
--cc=oded@privatecore.com \
--cc=spender@grsecurity.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox