Received: by 10.192.165.156 with SMTP id m28csp1134199imm; Wed, 11 Apr 2018 13:04:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/eHD6tdiSOctkvj2Er08jQUerjcLzY8Cqp5IChNvtuOxW2u+4mWViD26vqA1DSiQPVURkX X-Received: by 2002:a17:902:6b86:: with SMTP id p6-v6mr6389075plk.32.1523477083109; Wed, 11 Apr 2018 13:04:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523477083; cv=none; d=google.com; s=arc-20160816; b=lyDzhfXKov6XOTub5NVQn7jao42hfs8IuTPSNWWldMzOhxMi20KEVJBTRAFXZuAPOG cihwEWmW/1tKQikzyW0y1fpkaOIGuolepuLEi+FHaHekbDlnAJQLajcyQHRqRyNhDmjB /mtJqT0YWLL1vEzOQix8v7fqUNbQ9Zp6Rh3mFg0sDXF2FIB0G6xI3qmiGm5PzGdgyBEc TBEgP1QCZ7Hpvdmm5vNgGE85xND1vlPZoQH8VJKa+4g07xfOYmC+6NmrZSaHQT9P5+u5 sHgFfhZ5r4lRwwwd03TuQlkuO8zs0RfrTGErTH4XCBbkuSl2Y+/oZmF8t2t4tfiBt8u9 R7rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=oFB7r9Lo3pa4McnUftIMkEebKxaL74jCzUItfxJFrNU=; b=Hos0yfM05dswBCHcO/FCTbIaDczYkEgUtjJxBnIXHN310UETMAVZemteiFKv5q7Frh ueU9fH8tgzy1+zrOX4UdMQOiO3leXQP1W7oHeqqMCIFbJu+QRApBL3MaKpPwamUWTSFm DufOesGL25xSLHVNgu8rsx6CY7qe+yTRAu4AW196ewnsflIRiXUR9gx77YebTDPSRHxO MSztDNbfhHPPs8DPoVZH8mXXekKGHjo645fwKP35b7y7C/k6Jj9sI1q7crKnZtrTAbju WLUcVv3oLtNP1TuoSqBi7hK34W28njHI8EFXrFIxMwAfVbYPemSzRK46ag31Et7d+rZW W71Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e9-v6si1745913pln.439.2018.04.11.13.04.06; Wed, 11 Apr 2018 13:04:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756148AbeDKS4e (ORCPT + 99 others); Wed, 11 Apr 2018 14:56:34 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35810 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755079AbeDKS43 (ORCPT ); Wed, 11 Apr 2018 14:56:29 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E9C3D39; Wed, 11 Apr 2018 18:56:28 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Micay , Kees Cook , Kalle Valo , Sasha Levin Subject: [PATCH 4.9 089/310] ray_cs: Avoid reading past end of buffer Date: Wed, 11 Apr 2018 20:33:48 +0200 Message-Id: <20180411183626.084276851@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180411183622.305902791@linuxfoundation.org> References: <20180411183622.305902791@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook [ Upstream commit e48d661eb13f2f83861428f001c567fdb3f317e8 ] Using memcpy() from a buffer that is shorter than the length copied means the destination buffer is being filled with arbitrary data from the kernel rodata segment. In this case, the source was made longer, since it did not match the destination structure size. Additionally removes a needless cast. This was found with the future CONFIG_FORTIFY_SOURCE feature. Cc: Daniel Micay Signed-off-by: Kees Cook Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/ray_cs.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/net/wireless/ray_cs.c +++ b/drivers/net/wireless/ray_cs.c @@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_pa 0x04, 0x08, /* Noise gain, limit offset */ 0x28, 0x28, /* det rssi, med busy offsets */ 7, /* det sync thresh */ - 0, 2, 2 /* test mode, min, max */ + 0, 2, 2, /* test mode, min, max */ + 0, /* rx/tx delay */ + 0, 0, 0, 0, 0, 0, /* current BSS id */ + 0 /* hop set */ }; /*===========================================================================*/ @@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_ * a_beacon_period = hops a_beacon_period = KuS *//* 64ms = 010000 */ if (local->fw_ver == 0x55) { - memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms, + memcpy(&local->sparm.b4, b4_default_startup_parms, sizeof(struct b4_startup_params)); /* Translate sane kus input values to old build 4/5 format */ /* i = hop time in uS truncated to 3 bytes */