diff options
| author | Kees Cook <[email protected]> | 2017-07-12 14:36:01 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2017-07-12 16:26:03 -0700 |
| commit | 4c93496f18ce5044d78e4f7f9e018682a4f44b3d (patch) | |
| tree | 15b3f5ce7eb2c10f777f7054ba93fd0052e7300f /drivers/gpu/drm/amd/amdgpu/amdgpu_queue_mgr.c | |
| parent | e2ae8ab4b571e2e4094a28acb60649bc2732c67f (diff) | |
IB/rxe: do not copy extra stack memory to skb
This fixes a over-read condition detected by FORTIFY_SOURCE for this
line:
memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(skb->cb));
The error was:
In file included from ./include/linux/bitmap.h:8:0,
from ./include/linux/cpumask.h:11,
from ./include/linux/mm_types_task.h:13,
from ./include/linux/mm_types.h:4,
from ./include/linux/kmemcheck.h:4,
from ./include/linux/skbuff.h:18,
from drivers/infiniband/sw/rxe/rxe_resp.c:34:
In function 'memcpy',
inlined from 'send_atomic_ack.constprop' at drivers/infiniband/sw/rxe/rxe_resp.c:998:2,
inlined from 'acknowledge' at drivers/infiniband/sw/rxe/rxe_resp.c:1026:3,
inlined from 'rxe_responder' at drivers/infiniband/sw/rxe/rxe_resp.c:1286:10:
./include/linux/string.h:309:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
__read_overflow2();
Daniel Micay noted that struct rxe_pkt_info is 32 bytes on 32-bit
architectures, but skb->cb is still 64. The memcpy() over-reads 32
bytes. This fixes it by zeroing the unused bytes in skb->cb.
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Kees Cook <[email protected]>
Cc: Moni Shoua <[email protected]>
Cc: Doug Ledford <[email protected]>
Cc: Sean Hefty <[email protected]>
Cc: Daniel Micay <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_queue_mgr.c')
0 files changed, 0 insertions, 0 deletions