diff options
| author | Daniel Axtens <[email protected]> | 2020-02-25 10:44:27 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <[email protected]> | 2020-03-03 08:02:57 +0100 |
| commit | 3745488e9d599916a0b40d45d3f30e3d4720288e (patch) | |
| tree | a761d25cb9e94cc17dcc791414f1c2a8de131796 /tools/perf/util/trace-event-scripting.c | |
| parent | 2669b8b0c798fbe1a31d49e07aa33233d469ad9b (diff) | |
altera-stapl: altera_get_note: prevent write beyond end of 'key'
altera_get_note is called from altera_init, where key is kzalloc(33).
When the allocation functions are annotated to allow the compiler to see
the sizes of objects, and with FORTIFY_SOURCE, we see:
In file included from drivers/misc/altera-stapl/altera.c:14:0:
In function ‘strlcpy’,
inlined from ‘altera_init’ at drivers/misc/altera-stapl/altera.c:2189:5:
include/linux/string.h:378:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
__write_overflow();
^~~~~~~~~~~~~~~~~~
That refers to this code in altera_get_note:
if (key != NULL)
strlcpy(key, &p[note_strings +
get_unaligned_be32(
&p[note_table + (8 * i)])],
length);
The error triggers because the length of 'key' is 33, but the copy
uses length supplied as the 'length' parameter, which is always
256. Split the size parameter into key_len and val_len, and use the
appropriate length depending on what is being copied.
Detected by compiler error, only compile-tested.
Cc: "Igor M. Liplianin" <[email protected]>
Signed-off-by: Daniel Axtens <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/202002251042.D898E67AC@keescook
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Diffstat (limited to 'tools/perf/util/trace-event-scripting.c')
0 files changed, 0 insertions, 0 deletions