Commit 7b3c1a85 authored by Kees Cook's avatar Kees Cook Committed by Greg Kroah-Hartman
Browse files

tg3: fix length overflow in VPD firmware parsing 

commit 715230a4 upstream.

Commit 184b8904 ("tg3: Use VPD fw version
when present") introduced VPD parsing that contained a potential length
overflow.

Limit the hardware's reported firmware string length (max 255 bytes) to
stay inside the driver's firmware string length (32 bytes). On overflow,
truncate the formatted firmware string instead of potentially overwriting
portions of the tg3 struct.

http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf



-js: This fixes CVE-2013-1929.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Reported-by: default avatarOded Horovitz <oded@privatecore.com>
Reported-by: default avatarBrad Spengler <spender@grsecurity.net>
Cc: stable@vger.kernel.org
Cc: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 6ac3a550
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment