| Summary: | missing NUL-termination in usbnet drvinfo | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Laszlo Ersek <lersek> | ||||
| Component: | kernel | Assignee: | Red Hat Kernel Manager <kernel-mgr> | ||||
| Status: | CLOSED DEFERRED | QA Contact: | Red Hat Kernel QE team <kernel-qe> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.4 | CC: | syeghiay | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-10-18 23:37:03 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Since RHEL 6.3 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. In the meantime this got fixed in upstream, see commit 86a2f415. RHEL-7 has it. |
Created attachment 537576 [details] proposed patch "include/linux/usb/usbnet.h" declares the following structure type: --------*-------- /* interface from the device/framing level "minidriver" to core */ struct driver_info { char *description; --------*-------- "drivers/net/usb/mcs7830.c" introduces some static structs with this type, for the devices it handles: --------*-------- static const struct driver_info moschip_info = { .description = "MOSCHIP 7830/7832/7730 usb-NET adapter", --------*-------- Note that the "description" field is a pointer, not an array. Thus the C semantics of decaying the char array to a pointer to the first element apply. From "include/linux/ethtool.h": --------*-------- #define ETHTOOL_FWVERS_LEN 32 #define ETHTOOL_BUSINFO_LEN 32 /* these strings are set to whatever the driver author decides... */ struct ethtool_drvinfo { __u32 cmd; char driver[32]; /* driver short name, "tulip", "eepro100" */ char version[32]; /* driver version string */ char fw_version[ETHTOOL_FWVERS_LEN]; /* firmware version string */ char bus_info[ETHTOOL_BUSINFO_LEN]; /* Bus info for this IF. */ --------*-------- Here cometh the "get driver info" method of usbnet, invoked by "ethtool -i", from "drivers/net/usb/usbnet.c": --------*-------- void usbnet_get_drvinfo (struct net_device *net, struct ethtool_drvinfo *info) { struct usbnet *dev = netdev_priv(net); strncpy (info->driver, dev->driver_name, sizeof info->driver); strncpy (info->version, DRIVER_VERSION, sizeof info->version); strncpy (info->fw_version, dev->driver_info->description, sizeof info->fw_version); usb_make_path (dev->udev, info->bus_info, sizeof info->bus_info); } EXPORT_SYMBOL_GPL(usbnet_get_drvinfo); --------*-------- Since the string pointed to by "moschip_info.description" is not shorter than ETHTOOL_FWVERS_LEN characters, the third strncpy() call will not NUL-terminate "info->fw_version", and whoever reads that up to the first NUL will cross over into the "info->bus_info" field. (There's no struct padding between the two.) --------*-------- $ ethtool -i eth2 driver: MOSCHIP usb-ethernet driver version: 22-Aug-2005 firmware-version: MOSCHIP 7830/7730 usb-NET adapteusb-0000:00:1a.0-1.5.4.4 bus-info: usb-0000:00:1a.0-1.5.4.4 --------*-------- The bug seems to be present in the most recent upstream kernel (as of git commit 401d0069). Actually, the "moschip_info.description" quoted above is more recent than the RHEL-6 version; nonetheless, the RHEL-6 version is oversized too (33 characters). The driver is built for RHEL-6: config-generic:CONFIG_USB_NET_MCS7830=m The immediate fix is to mimic what ethtool_get_drvinfo() does in "net/core/ethtool.c", in case a device does not directly provide a drvinfo() method: use strlcpy(). Uncompiled patch attached. The problem was evaluated as not relevant security-wise.