mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-25 20:14:25 +08:00
tg3: fix length overflow in VPD firmware parsing
Commit 184b89044f
("tg3: Use VPD fw version
when present") introduced VPD parsing that contained a potential length
overflow.
Limit the hardware's reported firmware string length (max 255 bytes) to
stay inside the driver's firmware string length (32 bytes). On overflow,
truncate the formatted firmware string instead of potentially overwriting
portions of the tg3 struct.
http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Oded Horovitz <oded@privatecore.com>
Reported-by: Brad Spengler <spender@grsecurity.net>
Cc: stable@vger.kernel.org
Cc: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
ea872d7712
commit
715230a443
@ -14604,8 +14604,11 @@ static void tg3_read_vpd(struct tg3 *tp)
|
||||
if (j + len > block_end)
|
||||
goto partno;
|
||||
|
||||
memcpy(tp->fw_ver, &vpd_data[j], len);
|
||||
strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
|
||||
if (len >= sizeof(tp->fw_ver))
|
||||
len = sizeof(tp->fw_ver) - 1;
|
||||
memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
|
||||
snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
|
||||
&vpd_data[j]);
|
||||
}
|
||||
|
||||
partno:
|
||||
|
Loading…
Reference in New Issue
Block a user