From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Daniel Axtens <dja@axtens.net>,
"Igor M. Liplianin" <liplianin@netup.ru>,
Kees Cook <keescook@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.5 25/41] altera-stapl: altera_get_note: prevent write beyond end of 'key'
Date: Sun, 15 Mar 2020 22:33:03 -0400 [thread overview]
Message-ID: <20200316023319.749-25-sashal@kernel.org> (raw)
In-Reply-To: <20200316023319.749-1-sashal@kernel.org>
From: Daniel Axtens <dja@axtens.net>
[ Upstream commit 3745488e9d599916a0b40d45d3f30e3d4720288e ]
altera_get_note is called from altera_init, where key is kzalloc(33).
When the allocation functions are annotated to allow the compiler to see
the sizes of objects, and with FORTIFY_SOURCE, we see:
In file included from drivers/misc/altera-stapl/altera.c:14:0:
In function ‘strlcpy’,
inlined from ‘altera_init’ at drivers/misc/altera-stapl/altera.c:2189:5:
include/linux/string.h:378:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
__write_overflow();
^~~~~~~~~~~~~~~~~~
That refers to this code in altera_get_note:
if (key != NULL)
strlcpy(key, &p[note_strings +
get_unaligned_be32(
&p[note_table + (8 * i)])],
length);
The error triggers because the length of 'key' is 33, but the copy
uses length supplied as the 'length' parameter, which is always
256. Split the size parameter into key_len and val_len, and use the
appropriate length depending on what is being copied.
Detected by compiler error, only compile-tested.
Cc: "Igor M. Liplianin" <liplianin@netup.ru>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Link: https://lore.kernel.org/r/20200120074344.504-2-dja@axtens.net
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/202002251042.D898E67AC@keescook
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/altera-stapl/altera.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/misc/altera-stapl/altera.c b/drivers/misc/altera-stapl/altera.c
index 25e5f24b3fecd..5bdf574723144 100644
--- a/drivers/misc/altera-stapl/altera.c
+++ b/drivers/misc/altera-stapl/altera.c
@@ -2112,8 +2112,8 @@ static int altera_execute(struct altera_state *astate,
return status;
}
-static int altera_get_note(u8 *p, s32 program_size,
- s32 *offset, char *key, char *value, int length)
+static int altera_get_note(u8 *p, s32 program_size, s32 *offset,
+ char *key, char *value, int keylen, int vallen)
/*
* Gets key and value of NOTE fields in the JBC file.
* Can be called in two modes: if offset pointer is NULL,
@@ -2170,7 +2170,7 @@ static int altera_get_note(u8 *p, s32 program_size,
&p[note_table + (8 * i) + 4])];
if (value != NULL)
- strlcpy(value, value_ptr, length);
+ strlcpy(value, value_ptr, vallen);
}
}
@@ -2189,13 +2189,13 @@ static int altera_get_note(u8 *p, s32 program_size,
strlcpy(key, &p[note_strings +
get_unaligned_be32(
&p[note_table + (8 * i)])],
- length);
+ keylen);
if (value != NULL)
strlcpy(value, &p[note_strings +
get_unaligned_be32(
&p[note_table + (8 * i) + 4])],
- length);
+ vallen);
*offset = i + 1;
}
@@ -2449,7 +2449,7 @@ int altera_init(struct altera_config *config, const struct firmware *fw)
__func__, (format_version == 2) ? "Jam STAPL" :
"pre-standardized Jam 1.1");
while (altera_get_note((u8 *)fw->data, fw->size,
- &offset, key, value, 256) == 0)
+ &offset, key, value, 32, 256) == 0)
printk(KERN_INFO "%s: NOTE \"%s\" = \"%s\"\n",
__func__, key, value);
}
--
2.20.1
next prev parent reply other threads:[~2020-03-16 2:40 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-16 2:32 [PATCH AUTOSEL 5.5 01/41] spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 02/41] spi: spi-omap2-mcspi: Support probe deferral for DMA channels Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 03/41] drm/mediatek: Find the cursor plane instead of hard coding it Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 04/41] drm/mediatek: Ensure the cursor plane is on top of other overlays Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 05/41] ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties Sasha Levin
2020-03-16 7:21 ` Johan Hovold
2020-03-22 12:54 ` Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 06/41] phy: ti: gmii-sel: fix set of copy-paste errors Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 07/41] phy: ti: gmii-sel: do not fail in case of gmii Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 08/41] ARM: dts: dra7-l4: mark timer13-16 as pwm capable Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 09/41] ASoC: meson: g12a: add tohdmitx reset Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 10/41] spi: qup: call spi_qup_pm_resume_runtime before suspending Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 11/41] powerpc: Include .BTF section Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 12/41] cifs: fix potential mismatch of UNC paths Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 13/41] cifs: add missing mount option to /proc/mounts Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 14/41] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 15/41] spi: pxa2xx: Add CS control clock quirk Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 16/41] spi/zynqmp: remove entry that causes a cs glitch Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 17/41] ARM: dts: bcm283x: Add missing properties to the PWR LED Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 18/41] drm/exynos: dsi: propagate error value and silence meaningless warning Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 19/41] drm/exynos: dsi: fix workaround for the legacy clock name Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 20/41] drm/exynos: hdmi: don't leak enable HDMI_EN regulator if probe fails Sasha Levin
2020-03-16 2:32 ` [PATCH AUTOSEL 5.5 21/41] drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 22/41] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 23/41] io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 24/41] ARM: bcm2835_defconfig: Explicitly restore CONFIG_DEBUG_FS Sasha Levin
2020-03-16 2:33 ` Sasha Levin [this message]
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 26/41] dm bio record: save/restore bi_end_io and bi_integrity Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 27/41] dm integrity: use dm_bio_record and dm_bio_restore Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 28/41] riscv: avoid the PIC offset of static percpu data in module beyond 2G limits Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 29/41] ASoC: stm32: sai: manage rebind issue Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 30/41] spi: spi_register_controller(): free bus id on error paths Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 31/41] riscv: Force flat memory model with no-mmu Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 32/41] riscv: Fix range looking for kernel image memblock Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 33/41] drm/amdgpu: clean wptr on wb when gpu recovery Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 34/41] drm/amd/display: Clear link settings on MST disable connector Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 35/41] drm/amd/display: fix dcc swath size calculations on dcn1 Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 36/41] xenbus: req->body should be updated before req->state Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 37/41] xenbus: req->err " Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 38/41] riscv: fix seccomp reject syscall code path Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 39/41] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 40/41] parse-maintainers: Mark as executable Sasha Levin
2020-03-16 2:33 ` [PATCH AUTOSEL 5.5 41/41] io_uring: fix lockup with timeouts Sasha Levin
2020-03-16 11:50 ` [PATCH AUTOSEL 5.5 01/41] spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x Mark Brown
2020-03-22 19:37 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200316023319.749-25-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dja@axtens.net \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liplianin@netup.ru \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).