Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp2707608iob; Fri, 6 May 2022 08:43:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzaCweLPdpHn3KEd7chSjsQ7sHZxR+DXwK2z+tOHA3gh+PjbSnffOJ1KIcutSK/8l8n03V3 X-Received: by 2002:a65:6e9a:0:b0:382:1804:35c8 with SMTP id bm26-20020a656e9a000000b00382180435c8mr3270455pgb.584.1651851838133; Fri, 06 May 2022 08:43:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651851838; cv=none; d=google.com; s=arc-20160816; b=qtzSS2xVg5Rduo24NSbosi52jPy1ZDTQtPt92gFTg7CrUJ1f10sLrkoUEK/9E3ShXu LRrcb3PhEHpjEYPGFTBu36bnpDiZrfkkJ24TgFej6bewa/bJdm8xGx4B4zTLoqK4u95Q S51p+6060++27y/KyL4RvUXsIVqqMSfd85bYHO2NYCvhq0LYiYbhMrqVfyyP4sBC1nxv DrYpYbRrRt+Khc+N6YqSO7fkVrYJvVYKDssBgw6YjIdsOHuOyFHt6h+fe44tp6W0ECdV 3FZJS4hE1mvrDkUT+q8vPT+PpzyXQ5L8BiGCpxJi1MwbcZwl4ZCV921oS5J4u1ByV/OT 0M7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AozbAKn+rnfhPYfMQCxErJYmHLhdPA4rNzfvwoAOXUY=; b=AD71662g7L02gyaHJaeCKlHZYXXyvgUs5Wesv68MTnOiTQHz0NSmNKf/4Ji9yH7A/e V4DL4mNqSnUpD7o4ccYv2mLtY4gVMyuEazRYIFu/0aBtnaGtMG6e8wPD+KEMRO/frzpT tyA3I0Lw8wH2TtExMhpdh05kzFUdsEv6JghcMvJzwmvKA6q0Ua2PwIjKxpRIRqakkkYK 5vqFcCLSrA7en0BAzzih4Nd1hki9RdlU1beHFKWzP4QSb8agtwEdx9ifNSELGHufc9Bd b2bLmkjXenEP55wv19jcm+EXKopBzW5EuXov7GrngIkq12KMQBcy8LuMieOhry050hsq ZgBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=N4F3wzyu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l13-20020a056a0016cd00b00506bc45aaecsi5294666pfc.371.2022.05.06.08.43.43; Fri, 06 May 2022 08:43:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=N4F3wzyu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358299AbiEDRaC (ORCPT + 99 others); Wed, 4 May 2022 13:30:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40514 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356728AbiEDRJj (ORCPT ); Wed, 4 May 2022 13:09:39 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD841101C6; Wed, 4 May 2022 09:55:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6B33DB8279A; Wed, 4 May 2022 16:55:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0FD2CC385A5; Wed, 4 May 2022 16:55:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1651683326; bh=W0ma7N9tFRN5uOzAAOel1RrPOTCwMohQRrM+WFEL8KE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N4F3wzyuUo6TEkHyKXww0w9OQdCxnXmDnnd5H1oZ7jv9RiEq3EyGyWBrQlNPhDLM4 YFRfMnhebgNBZ2XaTs6T72iDnFFN1/wAyH1Dtztax/beUlciJ4xjbJ+XVXLFkG8zqG fS6oOBW5V9gk1ZvmADpRSyX04NzTPO7cIpuxocVg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kernel test robot , Kees Cook , Johan Hovold Subject: [PATCH 5.17 005/225] USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS Date: Wed, 4 May 2022 18:44:03 +0200 Message-Id: <20220504153110.722997606@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220504153110.096069935@linuxfoundation.org> References: <20220504153110.096069935@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit e23e50e7acc8d8f16498e9c129db33e6a00e80eb upstream. The sizeof(struct whitehat_dr_info) can be 4 bytes under CONFIG_AEABI=n due to "-mabi=apcs-gnu", even though it has a single u8: whiteheat_private { __u8 mcr; /* 0 1 */ /* size: 4, cachelines: 1, members: 1 */ /* padding: 3 */ /* last cacheline: 4 bytes */ }; The result is technically harmless, as both the source and the destinations are currently the same allocation size (4 bytes) and don't use their padding, but if anything were to ever be added after the "mcr" member in "struct whiteheat_private", it would be overwritten. The structs both have a single u8 "mcr" member, but are 4 bytes in padded size. The memcpy() destination was explicitly targeting the u8 member (size 1) with the length of the whole structure (size 4), triggering the memcpy buffer overflow warning: In file included from include/linux/string.h:253, from include/linux/bitmap.h:11, from include/linux/cpumask.h:12, from include/linux/smp.h:13, from include/linux/lockdep.h:14, from include/linux/spinlock.h:62, from include/linux/mmzone.h:8, from include/linux/gfp.h:6, from include/linux/slab.h:15, from drivers/usb/serial/whiteheat.c:17: In function 'fortify_memcpy_chk', inlined from 'firm_send_command' at drivers/usb/serial/whiteheat.c:587:4: include/linux/fortify-string.h:328:25: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] 328 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Instead, just assign the one byte directly. Reported-by: kernel test robot Link: https://lore.kernel.org/lkml/202204142318.vDqjjSFn-lkp@intel.com Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220421001234.2421107-1-keescook@chromium.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/whiteheat.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/drivers/usb/serial/whiteheat.c +++ b/drivers/usb/serial/whiteheat.c @@ -584,9 +584,8 @@ static int firm_send_command(struct usb_ switch (command) { case WHITEHEAT_GET_DTR_RTS: info = usb_get_serial_port_data(port); - memcpy(&info->mcr, command_info->result_buffer, - sizeof(struct whiteheat_dr_info)); - break; + info->mcr = command_info->result_buffer[0]; + break; } } exit: