From: Kees Cook <keescook@chromium.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kees Cook <keescook@chromium.org>,
Larry Finger <Larry.Finger@lwfinger.net>,
Phillip Potter <phil@philpotter.co.uk>,
Michael Straube <straube.linux@gmail.com>,
Fabio Aiuto <fabioaiuto83@gmail.com>,
linux-staging@lists.linux.dev,
Florian Schilhabel <florian.c.schilhabel@googlemail.com>,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
Zhansaya Bagdauletkyzy <zhansayabagdaulet@gmail.com>,
Ivan Safonov <insafonov@gmail.com>,
Martin Kaiser <martin@kaiser.cx>,
Yang Li <yang.lee@linux.alibaba.com>,
Nathan Chancellor <nathan@kernel.org>,
Hans de Goede <hdegoede@redhat.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Marco Cesati <marcocesati@gmail.com>,
Joe Perches <joe@perches.com>,
"Fabio M. De Francesco" <fmdefrancesco@gmail.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH 2/3 v2] staging: rtl8723bs: Drop get_recvframe_data()
Date: Fri, 14 Jan 2022 20:24:26 -0800 [thread overview]
Message-ID: <20220115042427.824542-3-keescook@chromium.org> (raw)
In-Reply-To: <20220115042427.824542-1-keescook@chromium.org>
When building with -Warray-bounds, the following warning is emitted:
In file included from ./include/linux/string.h:253,
from ./arch/x86/include/asm/page_32.h:22,
from ./arch/x86/include/asm/page.h:14,
from ./arch/x86/include/asm/thread_info.h:12,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:7,
from ./include/linux/preempt.h:78,
from ./include/linux/rcupdate.h:27,
from ./include/linux/rculist.h:11,
from ./include/linux/sched/signal.h:5,
from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
In function 'memcpy',
inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
41 | #define __underlying_memcpy __builtin_memcpy
| ^
This is because the compiler sees it is possible for "ptr" to be a NULL
value, and concludes that it has zero size and attempts to copy to it
would overflow. Instead, remove the get_recvframe_data() entirely, as
it's not possible for this to ever be NULL.
Additionally add missing NULL checks after recvframe_pull() (which are
present in the rtl8712 driver).
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Michael Straube <straube.linux@gmail.com>
Cc: Fabio Aiuto <fabioaiuto83@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/staging/rtl8723bs/core/rtw_recv.c | 11 ++++++++---
drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c | 3 +--
drivers/staging/rtl8723bs/include/rtw_recv.h | 11 -----------
3 files changed, 9 insertions(+), 16 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index 41bfca549c64..ffb455688a7d 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -465,7 +465,7 @@ static union recv_frame *portctrl(struct adapter *adapter, union recv_frame *pre
auth_alg = adapter->securitypriv.dot11AuthAlgrthm;
- ptr = get_recvframe_data(precv_frame);
+ ptr = precvframe->u.hdr.rx_data;
pfhdr = &precv_frame->u.hdr;
pattrib = &pfhdr->attrib;
psta_addr = pattrib->ta;
@@ -1510,7 +1510,7 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe)
__be16 be_tmp;
struct adapter *adapter = precvframe->u.hdr.adapter;
struct mlme_priv *pmlmepriv = &adapter->mlmepriv;
- u8 *ptr = get_recvframe_data(precvframe) ; /* point to frame_ctrl field */
+ u8 *ptr = precvframe->u.hdr.rx_data; /* point to frame_ctrl field */
struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib;
if (pattrib->encrypt)
@@ -1546,10 +1546,15 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe)
eth_type = 0x8712;
/* append rx status for mp test packets */
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr)+2)-24);
+ if (!ptr)
+ return _FAIL;
memcpy(ptr, get_rxmem(precvframe), 24);
ptr += 24;
- } else
+ } else {
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr) + (bsnaphdr?2:0)));
+ if (!ptr)
+ return _FAIL;
+ }
memcpy(ptr, pattrib->dst, ETH_ALEN);
memcpy(ptr+ETH_ALEN, pattrib->src, ETH_ALEN);
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
index c0a1a6fbeb91..74e75dc970f7 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
@@ -81,7 +81,7 @@ static void update_recvframe_phyinfo(union recv_frame *precvframe,
struct odm_phy_info *p_phy_info =
(struct odm_phy_info *)(&pattrib->phy_info);
- u8 *wlanhdr;
+ u8 *wlanhdr = precvframe->u.hdr.rx_data;
u8 *my_bssid;
u8 *rx_bssid;
u8 *rx_ra;
@@ -100,7 +100,6 @@ static void update_recvframe_phyinfo(union recv_frame *precvframe,
struct sta_priv *pstapriv;
struct sta_info *psta;
- wlanhdr = get_recvframe_data(precvframe);
my_bssid = get_bssid(&padapter->mlmepriv);
rx_bssid = get_hdr_bssid(wlanhdr);
pkt_info.bssid_match = ((!IsFrameTypeCtrl(wlanhdr)) &&
diff --git a/drivers/staging/rtl8723bs/include/rtw_recv.h b/drivers/staging/rtl8723bs/include/rtw_recv.h
index a88b7c088a86..44f67103503a 100644
--- a/drivers/staging/rtl8723bs/include/rtw_recv.h
+++ b/drivers/staging/rtl8723bs/include/rtw_recv.h
@@ -385,17 +385,6 @@ static inline u8 *get_rxmem(union recv_frame *precvframe)
return precvframe->u.hdr.rx_head;
}
-static inline u8 *get_recvframe_data(union recv_frame *precvframe)
-{
-
- /* alwasy return rx_data */
- if (precvframe == NULL)
- return NULL;
-
- return precvframe->u.hdr.rx_data;
-
-}
-
static inline u8 *recvframe_pull(union recv_frame *precvframe, signed int sz)
{
/* rx_data += sz; move rx_data sz bytes hereafter */
--
2.30.2
next prev parent reply other threads:[~2022-01-15 4:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
2022-01-15 4:24 ` [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data() Kees Cook
2022-01-15 4:24 ` Kees Cook [this message]
2022-01-15 9:12 ` [PATCH 2/3 v2] staging: rtl8723bs: " kernel test robot
2022-01-15 9:12 ` kernel test robot
2022-01-15 4:24 ` [PATCH 3/3 v2] staging: rtl8712: " Kees Cook
2022-01-15 7:00 ` kernel test robot
2022-01-15 7:00 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220115042427.824542-3-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=Larry.Finger@lwfinger.net \
--cc=christophe.jaillet@wanadoo.fr \
--cc=dan.carpenter@oracle.com \
--cc=fabioaiuto83@gmail.com \
--cc=florian.c.schilhabel@googlemail.com \
--cc=fmdefrancesco@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=insafonov@gmail.com \
--cc=joe@perches.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=marcocesati@gmail.com \
--cc=martin@kaiser.cx \
--cc=nathan@kernel.org \
--cc=phil@philpotter.co.uk \
--cc=straube.linux@gmail.com \
--cc=yang.lee@linux.alibaba.com \
--cc=zhansayabagdaulet@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.