From patchwork Mon May 15 21:26:40 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9727997
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	50A0D6028A for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 15 May 2017 21:27:03 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F8C02843F
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 15 May 2017 21:27:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 542E1289A8; Mon, 15 May 2017 21:27:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DFB692843F
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 15 May 2017 21:27:02 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758471AbdEOV0q (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Mon, 15 May 2017 17:26:46 -0400
Received: from mail-pg0-f49.google.com ([74.125.83.49]:36807 "EHLO
	mail-pg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758435AbdEOV0n (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Mon, 15 May 2017 17:26:43 -0400
Received: by mail-pg0-f49.google.com with SMTP id x64so46532763pgd.3
	for <linux-wireless@vger.kernel.org>;
	Mon, 15 May 2017 14:26:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
	bh=chqRRWXH/M3Lv5Klda6n8o4LblohGPUljI1Uo4vUtuM=;
	b=BEtn0Ug8JE1ljMnwdYxetUU8dRR/VmIVLIAzyq9RKoSLDe3gE9ub8rz5wQ44pI7MFD
	/ABfZVkYX4m/g0jWX6BKigQjltiK/rY8YCQbejMzfL5E2XKg9cQSjmiiB6UKDC5E8ctz
	EO0vTIEtOPa/qRxs30b5HO3vc2AvOdRk0UDr8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-disposition;
	bh=chqRRWXH/M3Lv5Klda6n8o4LblohGPUljI1Uo4vUtuM=;
	b=snuZkwo4ljVhaNb4v3RwaubQf58nvG/GHTFDbWtllpCHaOM9z4UNa1YaNfgJNHQgZN
	a1LBzH5KRxzkwQk1Iawy/2J2aUzDH5Y/xf+HiEXicliD7tLkmwARN9BRNSzRo0tWmUoo
	avEYcsuC+ctcXCE+D7vMpWfyYDH4Zpy89IzVns/epEsgh8sAk1VWKYIarPrQhNFYfzsx
	bJSulR8Qh27Fm5/MydQzYLZL/pBVg1FNQkLGodhLA7FcJatbK5mm6MimHy001/yn6qEv
	YRcrAd6QcINCXcxbIeQK4p21lh3qpPE09jwhpf8VVUxMjnvxu96igoky/32ZSczwBoyY
	s8+Q==
X-Gm-Message-State: AODbwcA1qWeZ1u5IZFI6NYxO1wUjmO4CurDFRpzRvcDxTHKRncnIw9PA
	RQq+5K78gn36m2f7
X-Received: by 10.98.2.85 with SMTP id 82mr8317431pfc.52.1494883602920;
	Mon, 15 May 2017 14:26:42 -0700 (PDT)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	t66sm23843875pfe.134.2017.05.15.14.26.41
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 15 May 2017 14:26:41 -0700 (PDT)
Date: Mon, 15 May 2017 14:26:40 -0700
From: Kees Cook <keescook@chromium.org>
To: netdev@vger.kernel.org
Cc: Kalle Valo <kvalo@codeaurora.org>, Joe Perches <joe@perches.com>,
	libertas-dev@lists.infradead.org, linux-wireless@vger.kernel.org,
	netdev@vger.kernel.org, Daniel Micay <danielmicay@gmail.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH v3] libertas: Avoid reading past end of buffer
Message-ID: <20170515212640.GA45443@beast>
MIME-Version: 1.0
Content-Disposition: inline
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, redefine the stat strings to be ETH_GSTRING_LEN
sizes, like other drivers. This lets us use a single memcpy that does not
leak rodata contents. Additionally adjust indentation to keep checkpatch.pl
happy.

This was found with the future CONFIG_FORTIFY_SOURCE feature.

Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v3:
- drop needless "*"; joe
- fix entry/exit in separate patch
v2:
- use ETH_GSTRING_LEN; joe
---
 drivers/net/wireless/marvell/libertas/mesh.c | 26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)

diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c
index d0c881dd5846..2229fb448189 100644
--- a/drivers/net/wireless/marvell/libertas/mesh.c
+++ b/drivers/net/wireless/marvell/libertas/mesh.c
@@ -1108,15 +1108,15 @@ void lbs_mesh_set_txpd(struct lbs_private *priv,
  * Ethtool related
  */
 
-static const char * const mesh_stat_strings[] = {
-			"drop_duplicate_bcast",
-			"drop_ttl_zero",
-			"drop_no_fwd_route",
-			"drop_no_buffers",
-			"fwded_unicast_cnt",
-			"fwded_bcast_cnt",
-			"drop_blind_table",
-			"tx_failed_cnt"
+static const char mesh_stat_strings[MESH_STATS_NUM][ETH_GSTRING_LEN] = {
+	"drop_duplicate_bcast",
+	"drop_ttl_zero",
+	"drop_no_fwd_route",
+	"drop_no_buffers",
+	"fwded_unicast_cnt",
+	"fwded_bcast_cnt",
+	"drop_blind_table",
+	"tx_failed_cnt"
 };
 
 void lbs_mesh_ethtool_get_stats(struct net_device *dev,
@@ -1170,17 +1170,11 @@ int lbs_mesh_ethtool_get_sset_count(struct net_device *dev, int sset)
 void lbs_mesh_ethtool_get_strings(struct net_device *dev,
 	uint32_t stringset, uint8_t *s)
 {
-	int i;
-
 	lbs_deb_enter(LBS_DEB_ETHTOOL);
 
 	switch (stringset) {
 	case ETH_SS_STATS:
-		for (i = 0; i < MESH_STATS_NUM; i++) {
-			memcpy(s + i * ETH_GSTRING_LEN,
-					mesh_stat_strings[i],
-					ETH_GSTRING_LEN);
-		}
+		memcpy(s, mesh_stat_strings, sizeof(mesh_stat_strings));
 		break;
 	}
 	lbs_deb_enter(LBS_DEB_ETHTOOL);