Ack: [Precise Quantal CVE-2013-1929] tg3: fix length overflow in VPD firmware parsing

[Brad Figg]

On 04/12/2013 06:46 AM, Luis Henriques wrote:
> From: Kees Cook <keescook at chromium.org>
> 
> CVE-2013-1929
> 
> BugLink: http://bugs.launchpad.net/bugs/1167065
> 
> Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
> when present") introduced VPD parsing that contained a potential length
> overflow.
> 
> Limit the hardware's reported firmware string length (max 255 bytes) to
> stay inside the driver's firmware string length (32 bytes). On overflow,
> truncate the formatted firmware string instead of potentially overwriting
> portions of the tg3 struct.
> 
> http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
> 
> Signed-off-by: Kees Cook <keescook at chromium.org>
> Reported-by: Oded Horovitz <oded at privatecore.com>
> Reported-by: Brad Spengler <spender at grsecurity.net>
> Cc: stable at vger.kernel.org
> Cc: Matt Carlson <mcarlson at broadcom.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424)
> 
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  drivers/net/ethernet/broadcom/tg3.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
> index ca3be73..c2450f4 100644
> --- a/drivers/net/ethernet/broadcom/tg3.c
> +++ b/drivers/net/ethernet/broadcom/tg3.c
> @@ -13617,8 +13617,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp)
>  		if (j + len > block_end)
>  			goto partno;
>  
> -		memcpy(tp->fw_ver, &vpd_data[j], len);
> -		strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
> +		if (len >= sizeof(tp->fw_ver))
> +			len = sizeof(tp->fw_ver) - 1;
> +		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
> +		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
> +			 &vpd_data[j]);
>  	}
>  
>  partno:
> 


-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com