| From: Kees Cook <keescook@chromium.org> |
| Date: Wed, 27 Mar 2013 06:40:50 +0000 |
| Subject: tg3: fix length overflow in VPD firmware parsing |
| |
| commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream. |
| |
| Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version |
| when present") introduced VPD parsing that contained a potential length |
| overflow. |
| |
| Limit the hardware's reported firmware string length (max 255 bytes) to |
| stay inside the driver's firmware string length (32 bytes). On overflow, |
| truncate the formatted firmware string instead of potentially overwriting |
| portions of the tg3 struct. |
| |
| http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Reported-by: Oded Horovitz <oded@privatecore.com> |
| Reported-by: Brad Spengler <spender@grsecurity.net> |
| Cc: Matt Carlson <mcarlson@broadcom.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/net/ethernet/broadcom/tg3.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/net/ethernet/broadcom/tg3.c |
| +++ b/drivers/net/ethernet/broadcom/tg3.c |
| @@ -13433,8 +13433,11 @@ static void __devinit tg3_read_vpd(struc |
| if (j + len > block_end) |
| goto partno; |
| |
| - memcpy(tp->fw_ver, &vpd_data[j], len); |
| - strncat(tp->fw_ver, " bc ", vpdlen - len - 1); |
| + if (len >= sizeof(tp->fw_ver)) |
| + len = sizeof(tp->fw_ver) - 1; |
| + memset(tp->fw_ver, 0, sizeof(tp->fw_ver)); |
| + snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len, |
| + &vpd_data[j]); |
| } |
| |
| partno: |
