[thirdparty/kernel/stable-queue.git] / releases / 5.1.7 / tipc-avoid-copying-bytes-beyond-the-supplied-data.patch

From foo@baz Fri 31 May 2019 03:16:39 PM PDT
From: Chris Packham <chris.packham@alliedtelesis.co.nz>
Date: Mon, 20 May 2019 15:45:36 +1200
Subject: tipc: Avoid copying bytes beyond the supplied data

From: Chris Packham <chris.packham@alliedtelesis.co.nz>

TLV_SET is called with a data pointer and a len parameter that tells us
how many bytes are pointed to by data. When invoking memcpy() we need
to careful to only copy len bytes.

Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
4 bytes past the end of the data pointer which newer GCC versions
complain about.

 In file included from test.c:17:
 In function 'TLV_SET',
     inlined from 'test' at test.c:186:5:
 /usr/include/linux/tipc_config.h:317:3:
 warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
 of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
     memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 test.c: In function 'test':
 test.c::161:10: note:
 'bearer_name' declared here
     char bearer_name[TIPC_MAX_BEARER_NAME];
          ^~~~~~~~~~~

We still want to ensure any padding bytes at the end are initialised, do
this with a explicit memset() rather than copy bytes past the end of
data. Apply the same logic to TCM_SET.

Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/uapi/linux/tipc_config.h |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/include/uapi/linux/tipc_config.h
+++ b/include/uapi/linux/tipc_config.h
@@ -307,8 +307,10 @@ static inline int TLV_SET(void *tlv, __u
 	tlv_ptr = (struct tlv_desc *)tlv;
 	tlv_ptr->tlv_type = htons(type);
 	tlv_ptr->tlv_len  = htons(tlv_len);
-	if (len && data)
-		memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
+	if (len && data) {
+		memcpy(TLV_DATA(tlv_ptr), data, len);
+		memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len);
+	}
 	return TLV_SPACE(len);
 }
 
@@ -405,8 +407,10 @@ static inline int TCM_SET(void *msg, __u
 	tcm_hdr->tcm_len   = htonl(msg_len);
 	tcm_hdr->tcm_type  = htons(cmd);
 	tcm_hdr->tcm_flags = htons(flags);
-	if (data_len && data)
+	if (data_len && data) {
 		memcpy(TCM_DATA(msg), data, data_len);
+		memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len);
+	}
 	return TCM_SPACE(data_len);
 }
Commit	Line	Data
ffc20820 GKH	1	From foo@baz Fri 31 May 2019 03:16:39 PM PDT
	2	From: Chris Packham <chris.packham@alliedtelesis.co.nz>
	3	Date: Mon, 20 May 2019 15:45:36 +1200
	4	Subject: tipc: Avoid copying bytes beyond the supplied data
	5
	6	From: Chris Packham <chris.packham@alliedtelesis.co.nz>
	7
	8	TLV_SET is called with a data pointer and a len parameter that tells us
	9	how many bytes are pointed to by data. When invoking memcpy() we need
	10	to careful to only copy len bytes.
	11
	12	Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
	13	4 bytes past the end of the data pointer which newer GCC versions
	14	complain about.
	15
	16	In file included from test.c:17:
	17	In function 'TLV_SET',
	18	inlined from 'test' at test.c:186:5:
	19	/usr/include/linux/tipc_config.h:317:3:
	20	warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
	21	of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
	22	memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
	23	^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	24	test.c: In function 'test':
	25	test.c::161:10: note:
	26	'bearer_name' declared here
	27	char bearer_name[TIPC_MAX_BEARER_NAME];
	28	^~~~~~~~~~~
	29
	30	We still want to ensure any padding bytes at the end are initialised, do
	31	this with a explicit memset() rather than copy bytes past the end of
	32	data. Apply the same logic to TCM_SET.
	33
	34	Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
	35	Signed-off-by: David S. Miller <davem@davemloft.net>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37	---
	38	include/uapi/linux/tipc_config.h \| 10 +++++++---
	39	1 file changed, 7 insertions(+), 3 deletions(-)
	40
	41	--- a/include/uapi/linux/tipc_config.h
	42	+++ b/include/uapi/linux/tipc_config.h
	43	@@ -307,8 +307,10 @@ static inline int TLV_SET(void *tlv, __u
	44	tlv_ptr = (struct tlv_desc *)tlv;
	45	tlv_ptr->tlv_type = htons(type);
	46	tlv_ptr->tlv_len = htons(tlv_len);
	47	- if (len && data)
	48	- memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
	49	+ if (len && data) {
	50	+ memcpy(TLV_DATA(tlv_ptr), data, len);
	51	+ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len);
	52	+ }
	53	return TLV_SPACE(len);
	54	}
	55
	56	@@ -405,8 +407,10 @@ static inline int TCM_SET(void *msg, __u
	57	tcm_hdr->tcm_len = htonl(msg_len);
	58	tcm_hdr->tcm_type = htons(cmd);
	59	tcm_hdr->tcm_flags = htons(flags);
	60	- if (data_len && data)
	61	+ if (data_len && data) {
	62	memcpy(TCM_DATA(msg), data, data_len);
	63	+ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len);
	64	+ }
65	return TCM_SPACE(data_len);
66	}
67