From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752839AbdFTVqk (ORCPT <rfc822;w@1wt.eu>);
        Tue, 20 Jun 2017 17:46:40 -0400
Received: from vps0.lunn.ch ([178.209.37.122]:57701 "EHLO vps0.lunn.ch"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752549AbdFTVq1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Jun 2017 17:46:27 -0400
Date: Tue, 20 Jun 2017 23:46:15 +0200
From: Andrew Lunn <andrew@lunn.ch>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Florian Fainelli <f.fainelli@gmail.com>,
        "David S. Miller" <davem@davemloft.net>,
        Timur Tabi <timur@codeaurora.org>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: phy: smsc: fix buffer overflow in memcpy
Message-ID: <20170620214615.GF12383@lunn.ch>
References: <20170620204059.790066-1-arnd@arndb.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170620204059.790066-1-arnd@arndb.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jun 20, 2017 at 10:40:46PM +0200, Arnd Bergmann wrote:
> The memcpy annotation triggers for a fixed-length buffer copy:
> 
> In file included from /git/arm-soc/arch/arm64/include/asm/processor.h:30:0,
>                  from /git/arm-soc/arch/arm64/include/asm/spinlock.h:21,
>                  from /git/arm-soc/include/linux/spinlock.h:87,
>                  from /git/arm-soc/include/linux/seqlock.h:35,
>                  from /git/arm-soc/include/linux/time.h:5,
>                  from /git/arm-soc/include/linux/stat.h:21,
>                  from /git/arm-soc/include/linux/module.h:10,
>                  from /git/arm-soc/drivers/net/phy/smsc.c:20:
> In function 'memcpy',
>     inlined from 'smsc_get_strings' at /git/arm-soc/drivers/net/phy/smsc.c:166:3:
> /git/arm-soc/include/linux/string.h:309:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
> 
> Using strncpy instead of memcpy should do the right thing here.

Hi Arnd

You will find this pattern in number of phy drivers:

bcm-phy-lib.c:	   	   memcpy(data + i * ETH_GSTRING_LEN,
marvell.c:			       		   memcpy(data + i * ETH_GSTRING_LEN,
micrel.c:   		memcpy(data + i * ETH_GSTRING_LEN,
smsc.c:				    memcpy(data + i * ETH_GSTRING_LEN,

They probably all need the same fix.

     Andrew