diff mbox

[Precise,Quantal,CVE-2013-1929] tg3: fix length overflow in VPD firmware parsing

Message ID 1365774362-12945-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques April 12, 2013, 1:46 p.m. UTC 
From: Kees Cook <keescook@chromium.org>

CVE-2013-1929

BugLink: http://bugs.launchpad.net/bugs/1167065

Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
when present") introduced VPD parsing that contained a potential length
overflow.

Limit the hardware's reported firmware string length (max 255 bytes) to
stay inside the driver's firmware string length (32 bytes). On overflow,
truncate the formatted firmware string instead of potentially overwriting
portions of the tg3 struct.

http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf

Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Oded Horovitz <oded@privatecore.com>
Reported-by: Brad Spengler <spender@grsecurity.net>
Cc: stable@vger.kernel.org
Cc: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/net/ethernet/broadcom/tg3.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Stefan Bader April 12, 2013, 2:03 p.m. UTC | #1
Brad Figg April 12, 2013, 2:12 p.m. UTC | #2 
On 04/12/2013 06:46 AM, Luis Henriques wrote:
> From: Kees Cook <keescook@chromium.org>
> 
> CVE-2013-1929
> 
> BugLink: http://bugs.launchpad.net/bugs/1167065
> 
> Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
> when present") introduced VPD parsing that contained a potential length
> overflow.
> 
> Limit the hardware's reported firmware string length (max 255 bytes) to
> stay inside the driver's firmware string length (32 bytes). On overflow,
> truncate the formatted firmware string instead of potentially overwriting
> portions of the tg3 struct.
> 
> http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Reported-by: Oded Horovitz <oded@privatecore.com>
> Reported-by: Brad Spengler <spender@grsecurity.net>
> Cc: stable@vger.kernel.org
> Cc: Matt Carlson <mcarlson@broadcom.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424)
> 
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  drivers/net/ethernet/broadcom/tg3.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
> index ca3be73..c2450f4 100644
> --- a/drivers/net/ethernet/broadcom/tg3.c
> +++ b/drivers/net/ethernet/broadcom/tg3.c
> @@ -13617,8 +13617,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp)
>  		if (j + len > block_end)
>  			goto partno;
>  
> -		memcpy(tp->fw_ver, &vpd_data[j], len);
> -		strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
> +		if (len >= sizeof(tp->fw_ver))
> +			len = sizeof(tp->fw_ver) - 1;
> +		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
> +		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
> +			 &vpd_data[j]);
>  	}
>  
>  partno:
>
Tim Gardner April 12, 2013, 2:20 p.m. UTC | #3
diff mbox

Patch

diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
index ca3be73..c2450f4 100644
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -13617,8 +13617,11 @@  static void __devinit tg3_read_vpd(struct tg3 *tp)
 		if (j + len > block_end)
 			goto partno;
 
-		memcpy(tp->fw_ver, &vpd_data[j], len);
-		strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
+		if (len >= sizeof(tp->fw_ver))
+			len = sizeof(tp->fw_ver) - 1;
+		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
+		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
+			 &vpd_data[j]);
 	}
 
 partno: