[Precise Quantal CVE-2013-1929] tg3: fix length overflow in VPD firmware parsing

Luis Henriques luis.henriques at canonical.com
Fri Apr 12 13:46:02 UTC 2013

From: Kees Cook <keescook at chromium.org>


BugLink: http://bugs.launchpad.net/bugs/1167065

Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
when present") introduced VPD parsing that contained a potential length

Limit the hardware's reported firmware string length (max 255 bytes) to
stay inside the driver's firmware string length (32 bytes). On overflow,
truncate the formatted firmware string instead of potentially overwriting
portions of the tg3 struct.


Signed-off-by: Kees Cook <keescook at chromium.org>
Reported-by: Oded Horovitz <oded at privatecore.com>
Reported-by: Brad Spengler <spender at grsecurity.net>
Cc: stable at vger.kernel.org
Cc: Matt Carlson <mcarlson at broadcom.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 drivers/net/ethernet/broadcom/tg3.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
index ca3be73..c2450f4 100644
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -13617,8 +13617,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp)
 		if (j + len > block_end)
 			goto partno;
-		memcpy(tp->fw_ver, &vpd_data[j], len);
-		strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
+		if (len >= sizeof(tp->fw_ver))
+			len = sizeof(tp->fw_ver) - 1;
+		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
+		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
+			 &vpd_data[j]);

More information about the kernel-team mailing list