Re: [PATCH] libertas: Avoid reading past end of buffer
Joe Percheswrites: > unrelated trivia: > > lbs_deb_enter is used incorrectly here at > function exit as both enter and leave calls. > > That type of copy/paste defect may be common. > > $ git grep -w lbs_deb_enter | wc -l > 148 > $ git grep -w lbs_deb_leave | wc -l > 71 > > One would expect these numbers to be the same. > > Another option would be to delete all these > calls as ftrace function tracing works well. Yeah, deleting all the enter/exit calls would be better. -- Kalle Valo
Re: [PATCH] libertas: Avoid reading past end of buffer
Joe Perches writes: > unrelated trivia: > > lbs_deb_enter is used incorrectly here at > function exit as both enter and leave calls. > > That type of copy/paste defect may be common. > > $ git grep -w lbs_deb_enter | wc -l > 148 > $ git grep -w lbs_deb_leave | wc -l > 71 > > One would expect these numbers to be the same. > > Another option would be to delete all these > calls as ftrace function tracing works well. Yeah, deleting all the enter/exit calls would be better. -- Kalle Valo
Re: [PATCH] libertas: Avoid reading past end of buffer
On Wed, 2017-05-10 at 12:24 -0700, Kees Cook wrote: > Using memcpy() from a string that is shorter than the length copied means > the destination buffer is being filled with arbitrary data from the kernel > rodata segment. another bit of trivia: > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c [] > @@ -1170,17 +1170,11 @@ int lbs_mesh_ethtool_get_sset_count(struct net_device > *dev, int sset) [] > + memcpy(s, *mesh_stat_strings, sizeof(mesh_stat_strings)); That * isn't necessary.
Re: [PATCH] libertas: Avoid reading past end of buffer
On Wed, 2017-05-10 at 12:24 -0700, Kees Cook wrote: > Using memcpy() from a string that is shorter than the length copied means > the destination buffer is being filled with arbitrary data from the kernel > rodata segment. another bit of trivia: > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c [] > @@ -1170,17 +1170,11 @@ int lbs_mesh_ethtool_get_sset_count(struct net_device > *dev, int sset) [] > + memcpy(s, *mesh_stat_strings, sizeof(mesh_stat_strings)); That * isn't necessary.
Re: [PATCH] libertas: Avoid reading past end of buffer
On Wed, 2017-05-10 at 12:24 -0700, Kees Cook wrote: > Using memcpy() from a string that is shorter than the length copied means [] > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c [] > @@ -1170,17 +1170,11 @@ int lbs_mesh_ethtool_get_sset_count(struct net_device > *dev, int sset) > void lbs_mesh_ethtool_get_strings(struct net_device *dev, > uint32_t stringset, uint8_t *s) > { > - int i; > - > lbs_deb_enter(LBS_DEB_ETHTOOL); > > switch (stringset) { > case ETH_SS_STATS: > - for (i = 0; i < MESH_STATS_NUM; i++) { > - memcpy(s + i * ETH_GSTRING_LEN, > - mesh_stat_strings[i], > - ETH_GSTRING_LEN); > - } > + memcpy(s, *mesh_stat_strings, sizeof(mesh_stat_strings)); > break; > } > lbs_deb_enter(LBS_DEB_ETHTOOL); unrelated trivia: lbs_deb_enter is used incorrectly here at function exit as both enter and leave calls. That type of copy/paste defect may be common. $ git grep -w lbs_deb_enter | wc -l 148 $ git grep -w lbs_deb_leave | wc -l 71 One would expect these numbers to be the same. Another option would be to delete all these calls as ftrace function tracing works well.
Re: [PATCH] libertas: Avoid reading past end of buffer
On Wed, 2017-05-10 at 12:24 -0700, Kees Cook wrote: > Using memcpy() from a string that is shorter than the length copied means [] > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c [] > @@ -1170,17 +1170,11 @@ int lbs_mesh_ethtool_get_sset_count(struct net_device > *dev, int sset) > void lbs_mesh_ethtool_get_strings(struct net_device *dev, > uint32_t stringset, uint8_t *s) > { > - int i; > - > lbs_deb_enter(LBS_DEB_ETHTOOL); > > switch (stringset) { > case ETH_SS_STATS: > - for (i = 0; i < MESH_STATS_NUM; i++) { > - memcpy(s + i * ETH_GSTRING_LEN, > - mesh_stat_strings[i], > - ETH_GSTRING_LEN); > - } > + memcpy(s, *mesh_stat_strings, sizeof(mesh_stat_strings)); > break; > } > lbs_deb_enter(LBS_DEB_ETHTOOL); unrelated trivia: lbs_deb_enter is used incorrectly here at function exit as both enter and leave calls. That type of copy/paste defect may be common. $ git grep -w lbs_deb_enter | wc -l 148 $ git grep -w lbs_deb_leave | wc -l 71 One would expect these numbers to be the same. Another option would be to delete all these calls as ftrace function tracing works well.
Re: [PATCH] libertas: Avoid reading past end of buffer
On Tue, May 9, 2017 at 9:33 PM, Joe Percheswrote: > On Tue, 2017-05-09 at 16:23 -0700, Kees Cook wrote: >> Using memcpy() from a string that is shorter than the length copied means >> the destination buffer is being filled with arbitrary data from the kernel >> rodata segment. Instead, use strncpy() which will fill the trailing bytes >> with zeros. Additionally adjust indentation to keep checkpatch.pl happy. >> >> This was found with the future CONFIG_FORTIFY_SOURCE feature. > [] >> diff --git a/drivers/net/wireless/marvell/libertas/mesh.c >> b/drivers/net/wireless/marvell/libertas/mesh.c > [] >> @@ -1177,9 +1177,9 @@ void lbs_mesh_ethtool_get_strings(struct net_device >> *dev, >> switch (stringset) { >> case ETH_SS_STATS: >> for (i = 0; i < MESH_STATS_NUM; i++) { >> - memcpy(s + i * ETH_GSTRING_LEN, >> - mesh_stat_strings[i], >> - ETH_GSTRING_LEN); >> + strncpy(s + i * ETH_GSTRING_LEN, >> + mesh_stat_strings[i], >> + ETH_GSTRING_LEN); >> } > > The better solution is to declare > mesh_stat_strings in in the normal way > > --- > drivers/net/wireless/marvell/libertas/mesh.c | 18 +- > 1 file changed, 9 insertions(+), 9 deletions(-) > > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c > index d0c881dd5846..a535e7f48d2d 100644 > --- a/drivers/net/wireless/marvell/libertas/mesh.c > +++ b/drivers/net/wireless/marvell/libertas/mesh.c > @@ -1108,15 +1108,15 @@ void lbs_mesh_set_txpd(struct lbs_private *priv, > * Ethtool related > */ > > -static const char * const mesh_stat_strings[] = { > - "drop_duplicate_bcast", > - "drop_ttl_zero", > - "drop_no_fwd_route", > - "drop_no_buffers", > - "fwded_unicast_cnt", > - "fwded_bcast_cnt", > - "drop_blind_table", > - "tx_failed_cnt" > +static const char mesh_stat_strings[][ETH_GSTRING_LEN] = { > + "drop_duplicate_bcast", > + "drop_ttl_zero", > + "drop_no_fwd_route", > + "drop_no_buffers", > + "fwded_unicast_cnt", > + "fwded_bcast_cnt", > + "drop_blind_table", > + "tx_failed_cnt", > }; > > void lbs_mesh_ethtool_get_stats(struct net_device *dev, Ah yeah! And that simplifies the memcpy too, since it can just do it in one go. New patch on the way... -Kees -- Kees Cook Pixel Security
Re: [PATCH] libertas: Avoid reading past end of buffer
On Tue, May 9, 2017 at 9:33 PM, Joe Perches wrote: > On Tue, 2017-05-09 at 16:23 -0700, Kees Cook wrote: >> Using memcpy() from a string that is shorter than the length copied means >> the destination buffer is being filled with arbitrary data from the kernel >> rodata segment. Instead, use strncpy() which will fill the trailing bytes >> with zeros. Additionally adjust indentation to keep checkpatch.pl happy. >> >> This was found with the future CONFIG_FORTIFY_SOURCE feature. > [] >> diff --git a/drivers/net/wireless/marvell/libertas/mesh.c >> b/drivers/net/wireless/marvell/libertas/mesh.c > [] >> @@ -1177,9 +1177,9 @@ void lbs_mesh_ethtool_get_strings(struct net_device >> *dev, >> switch (stringset) { >> case ETH_SS_STATS: >> for (i = 0; i < MESH_STATS_NUM; i++) { >> - memcpy(s + i * ETH_GSTRING_LEN, >> - mesh_stat_strings[i], >> - ETH_GSTRING_LEN); >> + strncpy(s + i * ETH_GSTRING_LEN, >> + mesh_stat_strings[i], >> + ETH_GSTRING_LEN); >> } > > The better solution is to declare > mesh_stat_strings in in the normal way > > --- > drivers/net/wireless/marvell/libertas/mesh.c | 18 +- > 1 file changed, 9 insertions(+), 9 deletions(-) > > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c > index d0c881dd5846..a535e7f48d2d 100644 > --- a/drivers/net/wireless/marvell/libertas/mesh.c > +++ b/drivers/net/wireless/marvell/libertas/mesh.c > @@ -1108,15 +1108,15 @@ void lbs_mesh_set_txpd(struct lbs_private *priv, > * Ethtool related > */ > > -static const char * const mesh_stat_strings[] = { > - "drop_duplicate_bcast", > - "drop_ttl_zero", > - "drop_no_fwd_route", > - "drop_no_buffers", > - "fwded_unicast_cnt", > - "fwded_bcast_cnt", > - "drop_blind_table", > - "tx_failed_cnt" > +static const char mesh_stat_strings[][ETH_GSTRING_LEN] = { > + "drop_duplicate_bcast", > + "drop_ttl_zero", > + "drop_no_fwd_route", > + "drop_no_buffers", > + "fwded_unicast_cnt", > + "fwded_bcast_cnt", > + "drop_blind_table", > + "tx_failed_cnt", > }; > > void lbs_mesh_ethtool_get_stats(struct net_device *dev, Ah yeah! And that simplifies the memcpy too, since it can just do it in one go. New patch on the way... -Kees -- Kees Cook Pixel Security
Re: [PATCH] libertas: Avoid reading past end of buffer
On Tue, 2017-05-09 at 16:23 -0700, Kees Cook wrote: > Using memcpy() from a string that is shorter than the length copied means > the destination buffer is being filled with arbitrary data from the kernel > rodata segment. Instead, use strncpy() which will fill the trailing bytes > with zeros. Additionally adjust indentation to keep checkpatch.pl happy. > > This was found with the future CONFIG_FORTIFY_SOURCE feature. [] > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c [] > @@ -1177,9 +1177,9 @@ void lbs_mesh_ethtool_get_strings(struct net_device > *dev, > switch (stringset) { > case ETH_SS_STATS: > for (i = 0; i < MESH_STATS_NUM; i++) { > - memcpy(s + i * ETH_GSTRING_LEN, > - mesh_stat_strings[i], > - ETH_GSTRING_LEN); > + strncpy(s + i * ETH_GSTRING_LEN, > + mesh_stat_strings[i], > + ETH_GSTRING_LEN); > } The better solution is to declare mesh_stat_strings in in the normal way --- drivers/net/wireless/marvell/libertas/mesh.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c index d0c881dd5846..a535e7f48d2d 100644 --- a/drivers/net/wireless/marvell/libertas/mesh.c +++ b/drivers/net/wireless/marvell/libertas/mesh.c @@ -1108,15 +1108,15 @@ void lbs_mesh_set_txpd(struct lbs_private *priv, * Ethtool related */ -static const char * const mesh_stat_strings[] = { - "drop_duplicate_bcast", - "drop_ttl_zero", - "drop_no_fwd_route", - "drop_no_buffers", - "fwded_unicast_cnt", - "fwded_bcast_cnt", - "drop_blind_table", - "tx_failed_cnt" +static const char mesh_stat_strings[][ETH_GSTRING_LEN] = { + "drop_duplicate_bcast", + "drop_ttl_zero", + "drop_no_fwd_route", + "drop_no_buffers", + "fwded_unicast_cnt", + "fwded_bcast_cnt", + "drop_blind_table", + "tx_failed_cnt", }; void lbs_mesh_ethtool_get_stats(struct net_device *dev,
Re: [PATCH] libertas: Avoid reading past end of buffer
On Tue, 2017-05-09 at 16:23 -0700, Kees Cook wrote: > Using memcpy() from a string that is shorter than the length copied means > the destination buffer is being filled with arbitrary data from the kernel > rodata segment. Instead, use strncpy() which will fill the trailing bytes > with zeros. Additionally adjust indentation to keep checkpatch.pl happy. > > This was found with the future CONFIG_FORTIFY_SOURCE feature. [] > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c > b/drivers/net/wireless/marvell/libertas/mesh.c [] > @@ -1177,9 +1177,9 @@ void lbs_mesh_ethtool_get_strings(struct net_device > *dev, > switch (stringset) { > case ETH_SS_STATS: > for (i = 0; i < MESH_STATS_NUM; i++) { > - memcpy(s + i * ETH_GSTRING_LEN, > - mesh_stat_strings[i], > - ETH_GSTRING_LEN); > + strncpy(s + i * ETH_GSTRING_LEN, > + mesh_stat_strings[i], > + ETH_GSTRING_LEN); > } The better solution is to declare mesh_stat_strings in in the normal way --- drivers/net/wireless/marvell/libertas/mesh.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c index d0c881dd5846..a535e7f48d2d 100644 --- a/drivers/net/wireless/marvell/libertas/mesh.c +++ b/drivers/net/wireless/marvell/libertas/mesh.c @@ -1108,15 +1108,15 @@ void lbs_mesh_set_txpd(struct lbs_private *priv, * Ethtool related */ -static const char * const mesh_stat_strings[] = { - "drop_duplicate_bcast", - "drop_ttl_zero", - "drop_no_fwd_route", - "drop_no_buffers", - "fwded_unicast_cnt", - "fwded_bcast_cnt", - "drop_blind_table", - "tx_failed_cnt" +static const char mesh_stat_strings[][ETH_GSTRING_LEN] = { + "drop_duplicate_bcast", + "drop_ttl_zero", + "drop_no_fwd_route", + "drop_no_buffers", + "fwded_unicast_cnt", + "fwded_bcast_cnt", + "drop_blind_table", + "tx_failed_cnt", }; void lbs_mesh_ethtool_get_stats(struct net_device *dev,