Received: by 10.192.165.156 with SMTP id m28csp1172170imm; Wed, 11 Apr 2018 13:51:52 -0700 (PDT) X-Google-Smtp-Source: AIpwx49vOS0zQD6MmABirxf39tLkNTAYauflHhs9PYDwEzM8eGetaehrK5baFhcLq18EpPYCAUqs X-Received: by 2002:a17:902:2884:: with SMTP id f4-v6mr6608238plb.153.1523479912701; Wed, 11 Apr 2018 13:51:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523479912; cv=none; d=google.com; s=arc-20160816; b=tgpzTHewQ9I0KumAsu1JB6Oly4jGtGzB175xaiMU4aOMjZY7L6acDPNimpLl1bmcfr DPvTxaw4YR2OgaTcEA5wDCivwimISPV1PjvIVL/Czn4jVx/a2LgSTtaLq+XmC9Qflhku UeJzj6Peh2o8bMDemhlaEd1F0uPdFoS2cMGpNLgi9uvWxt/BDDoCw3TEPZ/7wqHKlaeW J167S1D/AE+vgT8eKZYUyQ7EFKG2CvjJDJuB5BvzHNsanahbVnzw12UODtvenQi4SFx5 /dZ5fe8BXDVtUrZz7LzZGRn2tHQJT8C8nrJSOSeg+2PWF4n9llLPllfiaoWdJ4W5/5wO 4YLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=R+H8zHH8mNDX/GGJy+Qu4vYIp4nk1f2Smp1kw5soHwQ=; b=f9eAWAsop1Rup1elgBh0y19b4zsz6MIbuzHqHG6wzC0o2GhGPXRKpodkc1ZDGR5Nkg 6dZOm2sgSDltvITci0Vp/i+aPzX12K0PTba53WklKAZLapfjSHgdB0SfeGeFKPJPuqgd E+gL++oC8aFGEba9kZa9sYUKJsrw0nWae/F7sUw6kwunqabC7bxIhjj6r0/vFdch0RtS vqEjiwvb2b6xSwzqzi8tOKxDGJnPIN4cK4OzlM0rPWifLOXHAgI2cLsh+Xx4nXUKYqw8 XTPxRWIIQMOFNmeauZ12bXzMAUrrz8WYJsXN8n5QnXt2iIjwXS9vFF1bRx5iNtpQabbX 5uuQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x11si1200738pgr.147.2018.04.11.13.51.15; Wed, 11 Apr 2018 13:51:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932342AbeDKSq1 (ORCPT + 99 others); Wed, 11 Apr 2018 14:46:27 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:58896 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754987AbeDKSqX (ORCPT ); Wed, 11 Apr 2018 14:46:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 80BF1CA5; Wed, 11 Apr 2018 18:46:22 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Micay , Kees Cook , Kalle Valo , Sasha Levin Subject: [PATCH 4.4 060/190] ray_cs: Avoid reading past end of buffer Date: Wed, 11 Apr 2018 20:35:06 +0200 Message-Id: <20180411183553.829823073@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180411183550.114495991@linuxfoundation.org> References: <20180411183550.114495991@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook [ Upstream commit e48d661eb13f2f83861428f001c567fdb3f317e8 ] Using memcpy() from a buffer that is shorter than the length copied means the destination buffer is being filled with arbitrary data from the kernel rodata segment. In this case, the source was made longer, since it did not match the destination structure size. Additionally removes a needless cast. This was found with the future CONFIG_FORTIFY_SOURCE feature. Cc: Daniel Micay Signed-off-by: Kees Cook Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/ray_cs.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/net/wireless/ray_cs.c +++ b/drivers/net/wireless/ray_cs.c @@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_pa 0x04, 0x08, /* Noise gain, limit offset */ 0x28, 0x28, /* det rssi, med busy offsets */ 7, /* det sync thresh */ - 0, 2, 2 /* test mode, min, max */ + 0, 2, 2, /* test mode, min, max */ + 0, /* rx/tx delay */ + 0, 0, 0, 0, 0, 0, /* current BSS id */ + 0 /* hop set */ }; /*===========================================================================*/ @@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_ * a_beacon_period = hops a_beacon_period = KuS *//* 64ms = 010000 */ if (local->fw_ver == 0x55) { - memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms, + memcpy(&local->sparm.b4, b4_default_startup_parms, sizeof(struct b4_startup_params)); /* Translate sane kus input values to old build 4/5 format */ /* i = hop time in uS truncated to 3 bytes */