From patchwork Tue Aug 28 20:13:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 145362 Delivered-To: patch@linaro.org Received: by 2002:a2e:1648:0:0:0:0:0 with SMTP id 8-v6csp1589230ljw; Tue, 28 Aug 2018 13:13:50 -0700 (PDT) X-Google-Smtp-Source: ANB0VdasEIYRMLpALU+yISykAbxikNxt6Wo2hKioeE2XPvrpDcSaxE9ClugUj++sGVuXRSKv1ach X-Received: by 2002:a65:520d:: with SMTP id o13-v6mr2942512pgp.282.1535487230014; Tue, 28 Aug 2018 13:13:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535487230; cv=none; d=google.com; s=arc-20160816; b=O/3wj2cr/Qovl+bmuqqIMBpGfJ5cGEvq/E8rGOv3ZViLM/x77EtLFQ1cJnaUWTfObC TYDm92rDKvFZLuq4doLVI7vrb/v/aZCp8+sLvpesupPpDs7btu5bKHBbpnuiTZ2J+GK1 LQLlbJwLLGXx0V6b7EsKDaXiJeOa1p6Nc1LAqsoS4+bT71XWjXNXihdeWAUPO5fUHUpS pjyNNj0sOsBp5Ej93Ja+lLcKSOwM62UpdrUFmsyZNqZ3cbIkWCNQxh574uk5uHWga64j zDmJKU5Z6Kohy9eOB8U/bK+R1ZUuWHV1wx8yGsrInrNDIZnzQOZZzqFZrsfBnCCq6lrm qhgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=TXw3P4FPYZd2psDcpNo0aDwlZC4DOHZgU3cnNo2rc6w=; b=W3cZCrHsmC3e6gkABTqVFrOPQw9U7DcW1bR9HGILn2yo7YO3lUyM1jZDUhTDql4qkf MePuybjvrAqbmIf+UPaLS6WmHkliUyFbXeZldikI9U0C3FYnFGczDyoPHMXmZDOLBRTE E5N+Gjsy1/Er0Ze8x/yt0KB4X6sv8OEft6gyBLDerCdpxJCjC9NwcTwQNrZ9kya3K2bp jJl/mCSiJrO9ZD7T9nJn0kwqqQCsO8U2SiVGPaBdQ5h5DkF3YFPcckVdl51nKO/07TMe HFFdeeMxeIkibcN91JgYFwOUHhHQAyvHT5tK0xqWhaPKCaElczBxYbEP/mnJHPTHXSoR H1nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LdrzLcdM; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y10-v6si1906969pgf.312.2018.08.28.13.13.49; Tue, 28 Aug 2018 13:13:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=LdrzLcdM; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727144AbeH2AHD (ORCPT + 13 others); Tue, 28 Aug 2018 20:07:03 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:35292 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726961AbeH2AHD (ORCPT ); Tue, 28 Aug 2018 20:07:03 -0400 Received: by mail-pg1-f195.google.com with SMTP id z4-v6so1248625pgv.2 for ; Tue, 28 Aug 2018 13:13:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=TXw3P4FPYZd2psDcpNo0aDwlZC4DOHZgU3cnNo2rc6w=; b=LdrzLcdMZI7pJeR5aV17wXIdAWEI6KhV5MN2n3u8U0UiR1ZeIrS3ZkPisGpooTzv6V VM7NIEMdz1/0KBNPTvGj6P7zSZHkvkkPH3+rwc9SB90x46eBSHBxcwPnlNsNKA3cC5ko 96VsT5Lxwn18xk5dKQsACiVQMmskbp4hd64kg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=TXw3P4FPYZd2psDcpNo0aDwlZC4DOHZgU3cnNo2rc6w=; b=IGU29QIWAr7HB4Al7AOgAT6BgRlfiGuD0ErqDeMftmj/XDq8ou1kHqTGzFmNSZxkiH AMxFc0RDHGDeaW+FXbUZDQc/z05gR22pnr0yjnfH7McNSmlCsmfocguq798+FSioTspT Gch093AEfIj0ll5txGs5Hm0ICQ93ctG6Vy6s2pbGSd3ZYXvck3nyHGOwyVR22mFbCuqV bvgJDgjmJrfl4xk6v9wIFxn4cD1OV+fps86yB6FiOftdwpOuPxlbLMifi4BNX21PI+hM BtkNnT0UgshOI7g0xGaFSKSR03QzqsZ11oD0GNOrnren1Ym8qCtifKCfCDidaEaTFqns gKwQ== X-Gm-Message-State: APzg51D3xQFvCqj1Xqus4TeQk67b/YbFVLQZlUVgH/IXAoJtCNG1HPvd gfKoRiC3zmuMD1pVwAuvICyu4Q== X-Received: by 2002:a63:5fc8:: with SMTP id t191-v6mr2886716pgb.183.1535487228559; Tue, 28 Aug 2018 13:13:48 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id t86-v6sm3098181pfe.109.2018.08.28.13.13.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 28 Aug 2018 13:13:47 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Daniel Micay , Kees Cook , Wayne Porter Subject: [PATCH for-4.9.y 06/14] staging/rts5208: Fix read overflow in memcpy Date: Wed, 29 Aug 2018 01:43:17 +0530 Message-Id: <1535487205-26280-7-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535487205-26280-1-git-send-email-amit.pundir@linaro.org> References: <1535487205-26280-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniel Micay commit 88a5b39b69ab1828fd4130e2baadd184109cea69 upstream. Noticed by FORTIFY_SOURCE, this swaps memcpy() for strncpy() to zero-value fill the end of the buffer instead of over-reading a string from .rodata. Signed-off-by: Daniel Micay [kees: wrote commit log] Signed-off-by: Kees Cook Cc: Greg Kroah-Hartman Cc: Wayne Porter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Amit Pundir --- To be applied on 4.4.y and 3.18.y as well. Build tested on v4.4.153 and v3.18.120. drivers/staging/rts5208/rtsx_scsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.7.4 diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c index b3790334fd3f..f50076d0fb6c 100644 --- a/drivers/staging/rts5208/rtsx_scsi.c +++ b/drivers/staging/rts5208/rtsx_scsi.c @@ -536,7 +536,7 @@ static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip) if (sendbytes > 8) { memcpy(buf, inquiry_buf, 8); - memcpy(buf + 8, inquiry_string, sendbytes - 8); + strncpy(buf + 8, inquiry_string, sendbytes - 8); if (pro_formatter_flag) { /* Additional Length */ buf[4] = 0x33;