Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Created attachment 537576[details]
proposed patch
"include/linux/usb/usbnet.h" declares the following structure type:
--------*--------
/* interface from the device/framing level "minidriver" to core */
struct driver_info {
char *description;
--------*--------
"drivers/net/usb/mcs7830.c" introduces some static structs with this type, for the devices it handles:
--------*--------
static const struct driver_info moschip_info = {
.description = "MOSCHIP 7830/7832/7730 usb-NET adapter",
--------*--------
Note that the "description" field is a pointer, not an array. Thus the C semantics of decaying the char array to a pointer to the first element apply.
From "include/linux/ethtool.h":
--------*--------
#define ETHTOOL_FWVERS_LEN 32
#define ETHTOOL_BUSINFO_LEN 32
/* these strings are set to whatever the driver author decides... */
struct ethtool_drvinfo {
__u32 cmd;
char driver[32]; /* driver short name, "tulip", "eepro100" */
char version[32]; /* driver version string */
char fw_version[ETHTOOL_FWVERS_LEN]; /* firmware version string */
char bus_info[ETHTOOL_BUSINFO_LEN]; /* Bus info for this IF. */
--------*--------
Here cometh the "get driver info" method of usbnet, invoked by "ethtool -i", from "drivers/net/usb/usbnet.c":
--------*--------
void usbnet_get_drvinfo (struct net_device *net, struct ethtool_drvinfo *info)
{
struct usbnet *dev = netdev_priv(net);
strncpy (info->driver, dev->driver_name, sizeof info->driver);
strncpy (info->version, DRIVER_VERSION, sizeof info->version);
strncpy (info->fw_version, dev->driver_info->description,
sizeof info->fw_version);
usb_make_path (dev->udev, info->bus_info, sizeof info->bus_info);
}
EXPORT_SYMBOL_GPL(usbnet_get_drvinfo);
--------*--------
Since the string pointed to by "moschip_info.description" is not shorter than ETHTOOL_FWVERS_LEN characters, the third strncpy() call will not NUL-terminate "info->fw_version", and whoever reads that up to the first NUL will cross over into the "info->bus_info" field. (There's no struct padding between the two.)
--------*--------
$ ethtool -i eth2
driver: MOSCHIP usb-ethernet driver
version: 22-Aug-2005
firmware-version: MOSCHIP 7830/7730 usb-NET adapteusb-0000:00:1a.0-1.5.4.4
bus-info: usb-0000:00:1a.0-1.5.4.4
--------*--------
The bug seems to be present in the most recent upstream kernel (as of git commit 401d0069). Actually, the "moschip_info.description" quoted above is more recent than the RHEL-6 version; nonetheless, the RHEL-6 version is oversized too (33 characters). The driver is built for RHEL-6:
config-generic:CONFIG_USB_NET_MCS7830=m
The immediate fix is to mimic what ethtool_get_drvinfo() does in "net/core/ethtool.c", in case a device does not directly provide a drvinfo() method: use strlcpy(). Uncompiled patch attached.
The problem was evaluated as not relevant security-wise.
Comment 3RHEL Program Management
2012-05-03 05:28:13 UTC
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.
Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 4RHEL Program Management
2012-07-10 08:29:39 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 5RHEL Program Management
2012-07-10 23:31:17 UTC
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Created attachment 537576 [details] proposed patch "include/linux/usb/usbnet.h" declares the following structure type: --------*-------- /* interface from the device/framing level "minidriver" to core */ struct driver_info { char *description; --------*-------- "drivers/net/usb/mcs7830.c" introduces some static structs with this type, for the devices it handles: --------*-------- static const struct driver_info moschip_info = { .description = "MOSCHIP 7830/7832/7730 usb-NET adapter", --------*-------- Note that the "description" field is a pointer, not an array. Thus the C semantics of decaying the char array to a pointer to the first element apply. From "include/linux/ethtool.h": --------*-------- #define ETHTOOL_FWVERS_LEN 32 #define ETHTOOL_BUSINFO_LEN 32 /* these strings are set to whatever the driver author decides... */ struct ethtool_drvinfo { __u32 cmd; char driver[32]; /* driver short name, "tulip", "eepro100" */ char version[32]; /* driver version string */ char fw_version[ETHTOOL_FWVERS_LEN]; /* firmware version string */ char bus_info[ETHTOOL_BUSINFO_LEN]; /* Bus info for this IF. */ --------*-------- Here cometh the "get driver info" method of usbnet, invoked by "ethtool -i", from "drivers/net/usb/usbnet.c": --------*-------- void usbnet_get_drvinfo (struct net_device *net, struct ethtool_drvinfo *info) { struct usbnet *dev = netdev_priv(net); strncpy (info->driver, dev->driver_name, sizeof info->driver); strncpy (info->version, DRIVER_VERSION, sizeof info->version); strncpy (info->fw_version, dev->driver_info->description, sizeof info->fw_version); usb_make_path (dev->udev, info->bus_info, sizeof info->bus_info); } EXPORT_SYMBOL_GPL(usbnet_get_drvinfo); --------*-------- Since the string pointed to by "moschip_info.description" is not shorter than ETHTOOL_FWVERS_LEN characters, the third strncpy() call will not NUL-terminate "info->fw_version", and whoever reads that up to the first NUL will cross over into the "info->bus_info" field. (There's no struct padding between the two.) --------*-------- $ ethtool -i eth2 driver: MOSCHIP usb-ethernet driver version: 22-Aug-2005 firmware-version: MOSCHIP 7830/7730 usb-NET adapteusb-0000:00:1a.0-1.5.4.4 bus-info: usb-0000:00:1a.0-1.5.4.4 --------*-------- The bug seems to be present in the most recent upstream kernel (as of git commit 401d0069). Actually, the "moschip_info.description" quoted above is more recent than the RHEL-6 version; nonetheless, the RHEL-6 version is oversized too (33 characters). The driver is built for RHEL-6: config-generic:CONFIG_USB_NET_MCS7830=m The immediate fix is to mimic what ethtool_get_drvinfo() does in "net/core/ethtool.c", in case a device does not directly provide a drvinfo() method: use strlcpy(). Uncompiled patch attached. The problem was evaluated as not relevant security-wise.