Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp846136imu; Tue, 11 Dec 2018 08:26:33 -0800 (PST) X-Google-Smtp-Source: AFSGD/UjpDs8NpQ0egheIytU23S4iuAi36bCDW1cKhNrIPHQyUIwaHqZIc6DRCjgko1Taa6rlQny X-Received: by 2002:a17:902:d697:: with SMTP id v23mr16351578ply.261.1544545593062; Tue, 11 Dec 2018 08:26:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544545593; cv=none; d=google.com; s=arc-20160816; b=pr++ZnkJ4KoNcloURO9c+0o+nE4u0g3Jri/Dh2QOOrT7PovR2RCfnoA4ET8IBNGGxb dJpauQ7AUla72nD+7i71gunXQ95oYfFBlYtg8uffOd6hgayoPZCASej99+iUzgSv9psa FSPKMn4BsM74xbA2Ff98PZ5hul4gRrX/P6q0UYGl4bu5V8kiEDUieKbhcDZEB2k6gxGG PeUNyHXmZC1bnzX56gxhssBUgtGf7Y9J4EztTvGBQueUgUTk25Iq01w8qHbWN6J72Prj H9Y7jn8TP9wFeAv78lalDIp0Wm4sVI35EW8ToViYZ0uEKvck8TPfD3+EgiEK/PYdFW+Q rAsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Scf6ZZ8OVU002/EnQM3jrTVuIXwNlvunPEf1mj5ZQ8U=; b=VJd/reSyGRu+kdpm9gGoZMLjhf8jctoZigIqyglbPP6xbiQ0ZR9aHPmGfw1bJXmPcX cSst4678e7o56zT3Oxe3tgIwRs9sLn9+LZs1XbYjzAUTjJDnkPos9aAo+slx5PRnVM7O t4ez8JJIou0p5wzfvt0VBuZDLYr/6hlxbYuJyqIS1jvYZzSo0KQ0/EbfC4jX7wxQ4VIi 7A915frRGZylob9iTx9WOOnGQY6+PVyfApY+Ji+fXuwjRr447Z95zDaGHCCft1xa54MX 4Ih5UJfcGPnY6XCdH6qlt0Bq4QjivfiMKCkg6lFkVmrj5IGDfKNrYOJt+rYoytJfEhTW WkkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SnH5Uwz+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o6si12851062plh.23.2018.12.11.08.26.18; Tue, 11 Dec 2018 08:26:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SnH5Uwz+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728058AbeLKQXh (ORCPT + 99 others); Tue, 11 Dec 2018 11:23:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:59848 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727495AbeLKPnV (ORCPT ); Tue, 11 Dec 2018 10:43:21 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0645F20672; Tue, 11 Dec 2018 15:43:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544543000; bh=p1p2k7Wfbxra7TgFNDbpem8Iv2kAMN8JcU2kdRSIfiI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SnH5Uwz+8E1GVafxNLwfvKtxhHXzrChhhXPHRwnJEwqVnlXYTC6HMf84tcTlUBSY2 y7wQV/cVO0N0jSng+pQOJzh8DcF4c6DJJTsxX/2HwaLHrx4jJPd0bvWYXA/qlYz7u8 UnYzfVkNKor4AlUb6DBDqo64CZInVx3bl2RVJgs8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Micay , Kees Cook , Varun Prakash , "Martin K. Petersen" Subject: [PATCH 3.18 28/54] scsi: csiostor: Avoid content leaks and casts Date: Tue, 11 Dec 2018 16:41:16 +0100 Message-Id: <20181211151547.704005911@linuxfoundation.org> X-Mailer: git-send-email 2.20.0 In-Reply-To: <20181211151546.010073210@linuxfoundation.org> References: <20181211151546.010073210@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook commit 42c335f7e67029d2e01711f2f2bc6252277c8993 upstream. When copying attributes, the len argument was padded out and the resulting memcpy() would copy beyond the end of the source buffer. Avoid this, and use size_t for val_len to avoid all the casts. Similarly, avoid source buffer casts and use void *. Additionally enforces val_len can be represented by u16 and that the DMA buffer was not overflowed. Fixes the size of mfa, which is not FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN (but it will be padded up to 4). This was noticed by the future CONFIG_FORTIFY_SOURCE checks. Cc: Daniel Micay Signed-off-by: Kees Cook Acked-by: Varun Prakash Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/csiostor/csio_lnode.c | 43 ++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 17 deletions(-) --- a/drivers/scsi/csiostor/csio_lnode.c +++ b/drivers/scsi/csiostor/csio_lnode.c @@ -238,14 +238,23 @@ csio_osname(uint8_t *buf, size_t buf_len } static inline void -csio_append_attrib(uint8_t **ptr, uint16_t type, uint8_t *val, uint16_t len) +csio_append_attrib(uint8_t **ptr, uint16_t type, void *val, size_t val_len) { + uint16_t len; struct fc_fdmi_attr_entry *ae = (struct fc_fdmi_attr_entry *)*ptr; + + if (WARN_ON(val_len > U16_MAX)) + return; + + len = val_len; + ae->type = htons(type); len += 4; /* includes attribute type and length */ len = (len + 3) & ~3; /* should be multiple of 4 bytes */ ae->len = htons(len); - memcpy(ae->value, val, len); + memcpy(ae->value, val, val_len); + if (len > val_len) + memset(ae->value + val_len, 0, len - val_len); *ptr += len; } @@ -335,7 +344,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h numattrs++; val = htonl(FC_PORTSPEED_1GBIT | FC_PORTSPEED_10GBIT); csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_SUPPORTEDSPEED, - (uint8_t *)&val, + &val, FC_FDMI_PORT_ATTR_SUPPORTEDSPEED_LEN); numattrs++; @@ -346,23 +355,22 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h else val = htonl(CSIO_HBA_PORTSPEED_UNKNOWN); csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED, - (uint8_t *)&val, - FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN); + &val, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN); numattrs++; mfs = ln->ln_sparm.csp.sp_bb_data; csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_MAXFRAMESIZE, - (uint8_t *)&mfs, FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN); + &mfs, sizeof(mfs)); numattrs++; strcpy(buf, "csiostor"); csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_OSDEVICENAME, buf, - (uint16_t)strlen(buf)); + strlen(buf)); numattrs++; if (!csio_hostname(buf, sizeof(buf))) { csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_HOSTNAME, - buf, (uint16_t)strlen(buf)); + buf, strlen(buf)); numattrs++; } attrib_blk->numattrs = htonl(numattrs); @@ -444,33 +452,32 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *h strcpy(buf, "Chelsio Communications"); csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MANUFACTURER, buf, - (uint16_t)strlen(buf)); + strlen(buf)); numattrs++; csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_SERIALNUMBER, - hw->vpd.sn, (uint16_t)sizeof(hw->vpd.sn)); + hw->vpd.sn, sizeof(hw->vpd.sn)); numattrs++; csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODEL, hw->vpd.id, - (uint16_t)sizeof(hw->vpd.id)); + sizeof(hw->vpd.id)); numattrs++; csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODELDESCRIPTION, - hw->model_desc, (uint16_t)strlen(hw->model_desc)); + hw->model_desc, strlen(hw->model_desc)); numattrs++; csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_HARDWAREVERSION, - hw->hw_ver, (uint16_t)sizeof(hw->hw_ver)); + hw->hw_ver, sizeof(hw->hw_ver)); numattrs++; csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_FIRMWAREVERSION, - hw->fwrev_str, (uint16_t)strlen(hw->fwrev_str)); + hw->fwrev_str, strlen(hw->fwrev_str)); numattrs++; if (!csio_osname(buf, sizeof(buf))) { csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_OSNAMEVERSION, - buf, (uint16_t)strlen(buf)); + buf, strlen(buf)); numattrs++; } csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD, - (uint8_t *)&maxpayload, - FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN); + &maxpayload, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN); len = (uint32_t)(pld - (uint8_t *)cmd); numattrs++; attrib_blk->numattrs = htonl(numattrs); @@ -1794,6 +1801,8 @@ csio_ln_mgmt_submit_req(struct csio_iore struct csio_mgmtm *mgmtm = csio_hw_to_mgmtm(hw); int rv; + BUG_ON(pld_len > pld->len); + io_req->io_cbfn = io_cbfn; /* Upper layer callback handler */ io_req->fw_handle = (uintptr_t) (io_req); io_req->eq_idx = mgmtm->eq_idx;