1. Patchew
  2. linux
  3. [PATCH net v4 0/2] net: stmmac: misc fixes
  4. View patch

[PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts in ethtool

Konrad Leszczynski posted 2 patches 2 weeks, 2 days ago
[PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts in ethtool
Posted by Konrad Leszczynski 2 weeks, 2 days ago 
Fix kernel exception by replacing memcpy with ethtool_puts when used with
safety feature strings in ethtool logic.

[  +0.000023] BUG: KASAN: global-out-of-bounds in stmmac_get_strings+0x17d/0x520 [stmmac]
[  +0.000115] Read of size 32 at addr ffffffffc0cfab20 by task ethtool/2571

[  +0.000005] Call Trace:
[  +0.000004]  <TASK>
[  +0.000003]  dump_stack_lvl+0x6c/0x90
[  +0.000016]  print_report+0xce/0x610
[  +0.000011]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
[  +0.000108]  ? kasan_addr_to_slab+0xd/0xa0
[  +0.000008]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
[  +0.000101]  kasan_report+0xd4/0x110
[  +0.000010]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
[  +0.000102]  kasan_check_range+0x3a/0x1c0
[  +0.000010]  __asan_memcpy+0x24/0x70
[  +0.000008]  stmmac_get_strings+0x17d/0x520 [stmmac]

Reviewed-by: Sebastian Basierski <sebastian.basierski@intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Signed-off-by: Konrad Leszczynski <konrad.leszczynski@intel.com>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
index 77758a7299b4..d5a2b7e9b2a9 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
@@ -752,7 +752,7 @@ static void stmmac_get_strings(struct net_device *dev, u32 stringset, u8 *data)
 				if (!stmmac_safety_feat_dump(priv,
 							&priv->sstats, i,
 							NULL, &desc)) {
-					memcpy(p, desc, ETH_GSTRING_LEN);
+					ethtool_puts(&p, desc);
 					p += ETH_GSTRING_LEN;
 				}
 			}
-- 
2.34.1
Re: [PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts in ethtool
Posted by Simon Horman 2 weeks, 1 day ago 
On Tue, Sep 16, 2025 at 02:09:31PM +0200, Konrad Leszczynski wrote:
> Fix kernel exception by replacing memcpy with ethtool_puts when used with
> safety feature strings in ethtool logic.
> 
> [  +0.000023] BUG: KASAN: global-out-of-bounds in stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000115] Read of size 32 at addr ffffffffc0cfab20 by task ethtool/2571
> 
> [  +0.000005] Call Trace:
> [  +0.000004]  <TASK>
> [  +0.000003]  dump_stack_lvl+0x6c/0x90
> [  +0.000016]  print_report+0xce/0x610
> [  +0.000011]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000108]  ? kasan_addr_to_slab+0xd/0xa0
> [  +0.000008]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000101]  kasan_report+0xd4/0x110
> [  +0.000010]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> [  +0.000102]  kasan_check_range+0x3a/0x1c0
> [  +0.000010]  __asan_memcpy+0x24/0x70
> [  +0.000008]  stmmac_get_strings+0x17d/0x520 [stmmac]
> 
> Reviewed-by: Sebastian Basierski <sebastian.basierski@intel.com>
> Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
> Signed-off-by: Konrad Leszczynski <konrad.leszczynski@intel.com>

As per my comment on v3 (sorry, I missed that you had already posted v4):

I think it would be good to explain why using memcpy() is a problem here.

I looked and it seems to me that one reason is that the strings may be
too long. But are there others?

> ---
>  drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> index 77758a7299b4..d5a2b7e9b2a9 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
> @@ -752,7 +752,7 @@ static void stmmac_get_strings(struct net_device *dev, u32 stringset, u8 *data)
>  				if (!stmmac_safety_feat_dump(priv,
>  							&priv->sstats, i,
>  							NULL, &desc)) {
> -					memcpy(p, desc, ETH_GSTRING_LEN);
> +					ethtool_puts(&p, desc);
>  					p += ETH_GSTRING_LEN;

ethtool_puts() increments p, so I think the line above should be removed.

>  				}
>  			}
> -- 
> 2.34.1
> 
>
Re: [PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts in ethtool
Posted by Andrew Lunn 2 weeks, 1 day ago 
On Tue, Sep 16, 2025 at 05:45:30PM +0100, Simon Horman wrote:
> On Tue, Sep 16, 2025 at 02:09:31PM +0200, Konrad Leszczynski wrote:
> > Fix kernel exception by replacing memcpy with ethtool_puts when used with
> > safety feature strings in ethtool logic.
> > 
> > [  +0.000023] BUG: KASAN: global-out-of-bounds in stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000115] Read of size 32 at addr ffffffffc0cfab20 by task ethtool/2571
> > 
> > [  +0.000005] Call Trace:
> > [  +0.000004]  <TASK>
> > [  +0.000003]  dump_stack_lvl+0x6c/0x90
> > [  +0.000016]  print_report+0xce/0x610
> > [  +0.000011]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000108]  ? kasan_addr_to_slab+0xd/0xa0
> > [  +0.000008]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000101]  kasan_report+0xd4/0x110
> > [  +0.000010]  ? stmmac_get_strings+0x17d/0x520 [stmmac]
> > [  +0.000102]  kasan_check_range+0x3a/0x1c0
> > [  +0.000010]  __asan_memcpy+0x24/0x70
> > [  +0.000008]  stmmac_get_strings+0x17d/0x520 [stmmac]
> > 
> > Reviewed-by: Sebastian Basierski <sebastian.basierski@intel.com>
> > Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
> > Signed-off-by: Konrad Leszczynski <konrad.leszczynski@intel.com>
> 
> As per my comment on v3 (sorry, I missed that you had already posted v4):
> 
> I think it would be good to explain why using memcpy() is a problem here.
> 
> I looked and it seems to me that one reason is that the strings may be
> too long.

I actually think the strings are too short. But i could be wrong.

In general, stmmac uses:

struct stmmac_stats {
        char stat_string[ETH_GSTRING_LEN] __nonstring;
        int sizeof_stat;
        int stat_offset;
};

so the string is guaranteed to be long enough. However, these 'safety'
features make use of

struct dwmac5_error_desc {
        bool valid;
        const char *desc;
        const char *detailed_desc;
};

where desc can be any length, ironically making
dwmac5_safety_feat_dump() unsafe. This is why i asked that this be
changed to be the same stmmac_stats, so [ETH_GSTRING_LEN]
__nonstring. But that seems to of fallen on deaf ears.

	Andrew
Re: [PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts in ethtool
Posted by Jakub Kicinski 2 weeks, 1 day ago 
On Tue, 16 Sep 2025 19:12:22 +0200 Andrew Lunn wrote:
> where desc can be any length, ironically making
> dwmac5_safety_feat_dump() unsafe. This is why i asked that this be
> changed to be the same stmmac_stats, so [ETH_GSTRING_LEN]
> __nonstring. But that seems to of fallen on deaf ears.

Yes, very strange.

Tony, Przemek, I suspect the folks here are from "different part of
Intel" but I think they need some guidance..
Re: [PATCH net v4 1/2] net: stmmac: replace memcpy with ethtool_puts in ethtool
Posted by Tony Nguyen 2 weeks ago 

On 9/16/2025 4:25 PM, Jakub Kicinski wrote:
> On Tue, 16 Sep 2025 19:12:22 +0200 Andrew Lunn wrote:
>> where desc can be any length, ironically making
>> dwmac5_safety_feat_dump() unsafe. This is why i asked that this be
>> changed to be the same stmmac_stats, so [ETH_GSTRING_LEN]
>> __nonstring. But that seems to of fallen on deaf ears.
> 
> Yes, very strange.
> 
> Tony, Przemek, I suspect the folks here are from "different part of
> Intel" but I think they need some guidance..

I'll reach out and see if we can provide them some help.

Thanks,
Tony

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.