| Message ID | 20210616195303.1231429-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 99718abdc00e86e4f286dd836408e2834886c16e |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | r8152: Avoid memcpy() over-reading of ETH_SS_STATS | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 6 of 6 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
On Wed, Jun 16, 2021 at 12:53:03PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally reading across neighboring array fields. > > The memcpy() is copying the entire structure, not just the first array. > Adjust the source argument so the compiler can do appropriate bounds > checking. > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > drivers/net/usb/r8152.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c > index 85039e17f4cd..5f08720bf1c9 100644 > --- a/drivers/net/usb/r8152.c > +++ b/drivers/net/usb/r8152.c > @@ -8678,7 +8678,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) > { > switch (stringset) { > case ETH_SS_STATS: > - memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); > + memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); > break; Is this correct? The call is supposed to return all the statistic strings, which would be the entire structure. Andrew
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Wed, 16 Jun 2021 12:53:03 -0700 you wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally reading across neighboring array fields. > > The memcpy() is copying the entire structure, not just the first array. > Adjust the source argument so the compiler can do appropriate bounds > checking. > > [...] Here is the summary with links: - r8152: Avoid memcpy() over-reading of ETH_SS_STATS https://git.kernel.org/netdev/net/c/99718abdc00e You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
On Wed, Jun 16, 2021 at 10:02:43PM +0200, Andrew Lunn wrote: > On Wed, Jun 16, 2021 at 12:53:03PM -0700, Kees Cook wrote: > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > field bounds checking for memcpy(), memmove(), and memset(), avoid > > intentionally reading across neighboring array fields. > > > > The memcpy() is copying the entire structure, not just the first array. > > Adjust the source argument so the compiler can do appropriate bounds > > checking. > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > drivers/net/usb/r8152.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c > > index 85039e17f4cd..5f08720bf1c9 100644 > > --- a/drivers/net/usb/r8152.c > > +++ b/drivers/net/usb/r8152.c > > @@ -8678,7 +8678,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) > > { > > switch (stringset) { > > case ETH_SS_STATS: > > - memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); > > + memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); > > break; > > Is this correct? The call is supposed to return all the statistic > strings, which would be the entire structure. Ah! now i think i get it. Although *rtl8152_gstrings == rtl8152_gstrings in terms of addresses, the compiler sees that *rtl8152_gstrings is sizeof(ETH_GSTRING_LEN), but we are copying sizeof(rtl8152_gstrings), so it will issue a warning. So you remove the * to indicate we are interesting in the whole structure of arrays. Andrew
On Wed, Jun 16, 2021 at 10:10:40PM +0200, Andrew Lunn wrote: > On Wed, Jun 16, 2021 at 10:02:43PM +0200, Andrew Lunn wrote: > > On Wed, Jun 16, 2021 at 12:53:03PM -0700, Kees Cook wrote: > > > In preparation for FORTIFY_SOURCE performing compile-time and run-time > > > field bounds checking for memcpy(), memmove(), and memset(), avoid > > > intentionally reading across neighboring array fields. > > > > > > The memcpy() is copying the entire structure, not just the first array. > > > Adjust the source argument so the compiler can do appropriate bounds > > > checking. > > > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > > --- > > > drivers/net/usb/r8152.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c > > > index 85039e17f4cd..5f08720bf1c9 100644 > > > --- a/drivers/net/usb/r8152.c > > > +++ b/drivers/net/usb/r8152.c > > > @@ -8678,7 +8678,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) > > > { > > > switch (stringset) { > > > case ETH_SS_STATS: > > > - memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); > > > + memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); > > > break; > > > > Is this correct? The call is supposed to return all the statistic > > strings, which would be the entire structure. > > Ah! now i think i get it. > > Although *rtl8152_gstrings == rtl8152_gstrings in terms of addresses, > the compiler sees that *rtl8152_gstrings is sizeof(ETH_GSTRING_LEN), > but we are copying sizeof(rtl8152_gstrings), so it will issue a > warning. So you remove the * to indicate we are interesting in the > whole structure of arrays. Right! Sorry if that wasn't more clear. :)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c index 85039e17f4cd..5f08720bf1c9 100644 --- a/drivers/net/usb/r8152.c +++ b/drivers/net/usb/r8152.c @@ -8678,7 +8678,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) { switch (stringset) { case ETH_SS_STATS: - memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); + memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); break; } }
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally reading across neighboring array fields. The memcpy() is copying the entire structure, not just the first array. Adjust the source argument so the compiler can do appropriate bounds checking. Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/net/usb/r8152.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)