Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

From: Borislav Petkov
Date: Thu Nov 23 2023 - 12:05:56 EST

Next message: syzbot: "[syzbot] [ntfs3?] WARNING in indx_insert_into_buffer"
Previous message: claudiu beznea: "Re: [PATCH 13/13] net: ravb: Add runtime PM support"
In reply to: Borislav Petkov: "Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@xxxxxxxx>
>
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> warning for a common bug in the usage of strncat():
>
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
> drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
> drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1899 | strncat(msg, other, L2C_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
> drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
> 1220 | strncat(msg, other, OCX_MESSAGE_SIZE);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Apparently the author of this driver expected strncat() to behave the
> way that strlcat() does, which uses the size of the destination buffer
> as its third argument rather than the length of the source buffer.
> The result is that there is no check on the size of the allocated
> buffer.
>
> Change it to use strncat().
>
> Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
> Cc: "Gustavo A. R. Silva" <gustavoars@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
> ---
> drivers/edac/thunderx_edac.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)

Applied, thanks.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Next message: syzbot: "[syzbot] [ntfs3?] WARNING in indx_insert_into_buffer"
Previous message: claudiu beznea: "Re: [PATCH 13/13] net: ravb: Add runtime PM support"
In reply to: Borislav Petkov: "Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]