Message ID | 1365774362-12945-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On 04/12/2013 06:46 AM, Luis Henriques wrote: > From: Kees Cook <keescook@chromium.org> > > CVE-2013-1929 > > BugLink: http://bugs.launchpad.net/bugs/1167065 > > Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version > when present") introduced VPD parsing that contained a potential length > overflow. > > Limit the hardware's reported firmware string length (max 255 bytes) to > stay inside the driver's firmware string length (32 bytes). On overflow, > truncate the formatted firmware string instead of potentially overwriting > portions of the tg3 struct. > > http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf > > Signed-off-by: Kees Cook <keescook@chromium.org> > Reported-by: Oded Horovitz <oded@privatecore.com> > Reported-by: Brad Spengler <spender@grsecurity.net> > Cc: stable@vger.kernel.org > Cc: Matt Carlson <mcarlson@broadcom.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > drivers/net/ethernet/broadcom/tg3.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c > index ca3be73..c2450f4 100644 > --- a/drivers/net/ethernet/broadcom/tg3.c > +++ b/drivers/net/ethernet/broadcom/tg3.c > @@ -13617,8 +13617,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp) > if (j + len > block_end) > goto partno; > > - memcpy(tp->fw_ver, &vpd_data[j], len); > - strncat(tp->fw_ver, " bc ", vpdlen - len - 1); > + if (len >= sizeof(tp->fw_ver)) > + len = sizeof(tp->fw_ver) - 1; > + memset(tp->fw_ver, 0, sizeof(tp->fw_ver)); > + snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len, > + &vpd_data[j]); > } > > partno: >
diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c index ca3be73..c2450f4 100644 --- a/drivers/net/ethernet/broadcom/tg3.c +++ b/drivers/net/ethernet/broadcom/tg3.c @@ -13617,8 +13617,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp) if (j + len > block_end) goto partno; - memcpy(tp->fw_ver, &vpd_data[j], len); - strncat(tp->fw_ver, " bc ", vpdlen - len - 1); + if (len >= sizeof(tp->fw_ver)) + len = sizeof(tp->fw_ver) - 1; + memset(tp->fw_ver, 0, sizeof(tp->fw_ver)); + snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len, + &vpd_data[j]); } partno: