* [PATCH 0/2][next] wl3501_cs: Fix out-of-bounds warnings
@ 2021-03-31 21:14 Gustavo A. R. Silva
2021-03-31 21:15 ` [PATCH 1/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_send_pkt Gustavo A. R. Silva
2021-03-31 21:16 ` [PATCH 2/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_mgmt_join Gustavo A. R. Silva
0 siblings, 2 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2021-03-31 21:14 UTC (permalink / raw)
To: linux-kernel
Cc: Kalle Valo, David S. Miller, Jakub Kicinski, linux-wireless,
netdev, linux-hardening, Gustavo A. R. Silva
Fix the a couple of out-of-bounds warnings by making the code
a bit more structured.
This helps with the ongoing efforts to enable -Warray-bounds and
avoid confusing the compiler.
Link: https://github.com/KSPP/linux/issues/109
Gustavo A. R. Silva (2):
wl3501_cs: Fix out-of-bounds warning in wl3501_send_pkt
wl3501_cs: Fix out-of-bounds warning in wl3501_mgmt_join
drivers/net/wireless/wl3501.h | 28 ++++++++++++++++------------
drivers/net/wireless/wl3501_cs.c | 6 +++---
2 files changed, 19 insertions(+), 15 deletions(-)
--
2.27.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_send_pkt
2021-03-31 21:14 [PATCH 0/2][next] wl3501_cs: Fix out-of-bounds warnings Gustavo A. R. Silva
@ 2021-03-31 21:15 ` Gustavo A. R. Silva
2021-03-31 21:16 ` [PATCH 2/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_mgmt_join Gustavo A. R. Silva
1 sibling, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2021-03-31 21:15 UTC (permalink / raw)
To: linux-kernel
Cc: Kalle Valo, David S. Miller, Jakub Kicinski, linux-wireless,
netdev, linux-hardening, Gustavo A. R. Silva
Fix the following out-of-bounds warning by enclosing
structure members daddr and saddr into new struct addr:
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
Refactor the code, accordingly:
$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o
struct wl3501_md_req {
u16 next_blk; /* 0 2 */
u8 sig_id; /* 2 1 */
u8 routing; /* 3 1 */
u16 data; /* 4 2 */
u16 size; /* 6 2 */
u8 pri; /* 8 1 */
u8 service_class; /* 9 1 */
struct {
u8 daddr[6]; /* 10 6 */
u8 saddr[6]; /* 16 6 */
} addr; /* 10 12 */
/* size: 22, cachelines: 1, members: 8 */
/* last cacheline: 22 bytes */
};
The problem is that the original code is trying to copy data into a
couple of arrays adjacent to each other in a single call to memcpy().
Now that a new struct _addr_ enclosing those two adjacent arrays
is introduced, memcpy() doesn't overrun the length of &sig.addr,
because the address of the new struct object _addr_ is used as
destination, instead.
Also, this helps with the ongoing efforts to enable -Warray-bounds and
avoid confusing the compiler.
Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Build-tested-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/lkml/60641d9b.2eNLedOGSdcSoAV2%25lkp@intel.com/
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
drivers/net/wireless/wl3501.h | 6 ++++--
drivers/net/wireless/wl3501_cs.c | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
index e98e04ee9a2c..ef9d605d8c88 100644
--- a/drivers/net/wireless/wl3501.h
+++ b/drivers/net/wireless/wl3501.h
@@ -471,8 +471,10 @@ struct wl3501_md_req {
u16 size;
u8 pri;
u8 service_class;
- u8 daddr[ETH_ALEN];
- u8 saddr[ETH_ALEN];
+ struct {
+ u8 daddr[ETH_ALEN];
+ u8 saddr[ETH_ALEN];
+ } addr;
};
struct wl3501_md_ind {
diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
index 8ca5789c7b37..384bf84dfa51 100644
--- a/drivers/net/wireless/wl3501_cs.c
+++ b/drivers/net/wireless/wl3501_cs.c
@@ -484,7 +484,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
goto out;
}
rc = 0;
- memcpy(&sig.daddr[0], pdata, 12);
+ memcpy(&sig.addr, pdata, sizeof(sig.addr));
pktlen = len - 12;
pdata += 12;
sig.data = bf;
--
2.27.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_mgmt_join
2021-03-31 21:14 [PATCH 0/2][next] wl3501_cs: Fix out-of-bounds warnings Gustavo A. R. Silva
2021-03-31 21:15 ` [PATCH 1/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_send_pkt Gustavo A. R. Silva
@ 2021-03-31 21:16 ` Gustavo A. R. Silva
1 sibling, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2021-03-31 21:16 UTC (permalink / raw)
To: linux-kernel
Cc: Kalle Valo, David S. Miller, Jakub Kicinski, linux-wireless,
netdev, linux-hardening, Gustavo A. R. Silva
Fix the following out-of-bounds warning by enclosing
some structure members into new struct req:
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds]
Refactor the code, accordingly:
$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o
struct wl3501_join_req {
u16 next_blk; /* 0 2 */
u8 sig_id; /* 2 1 */
u8 reserved; /* 3 1 */
struct iw_mgmt_data_rset operational_rset; /* 4 10 */
u16 reserved2; /* 14 2 */
u16 timeout; /* 16 2 */
u16 probe_delay; /* 18 2 */
u8 timestamp[8]; /* 20 8 */
u8 local_time[8]; /* 28 8 */
struct {
u16 beacon_period; /* 36 2 */
u16 dtim_period; /* 38 2 */
u16 cap_info; /* 40 2 */
u8 bss_type; /* 42 1 */
u8 bssid[6]; /* 43 6 */
struct iw_mgmt_essid_pset ssid; /* 49 34 */
/* --- cacheline 1 boundary (64 bytes) was 19 bytes ago --- */
struct iw_mgmt_ds_pset ds_pset; /* 83 3 */
struct iw_mgmt_cf_pset cf_pset; /* 86 8 */
struct iw_mgmt_ibss_pset ibss_pset; /* 94 4 */
struct iw_mgmt_data_rset bss_basic_rset; /* 98 10 */
} req; /* 36 72 */
/* size: 108, cachelines: 2, members: 10 */
/* last cacheline: 44 bytes */
};
The problem is that the original code is trying to copy data into a
bunch of struct members adjacent to each other in a single call to
memcpy(). Now that a new struct _req_ enclosing all those adjacent
members is introduced, memcpy() doesn't overrun the length of
&sig.beacon_period, because the address of the new struct object
_req_ is used as the destination, instead.
Also, this helps with the ongoing efforts to enable -Warray-bounds and
avoid confusing the compiler.
Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Build-tested-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/lkml/60641d9b.2eNLedOGSdcSoAV2%25lkp@intel.com/
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
drivers/net/wireless/wl3501.h | 22 ++++++++++++----------
drivers/net/wireless/wl3501_cs.c | 4 ++--
2 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
index ef9d605d8c88..774d8cac046d 100644
--- a/drivers/net/wireless/wl3501.h
+++ b/drivers/net/wireless/wl3501.h
@@ -389,16 +389,18 @@ struct wl3501_join_req {
u16 probe_delay;
u8 timestamp[8];
u8 local_time[8];
- u16 beacon_period;
- u16 dtim_period;
- u16 cap_info;
- u8 bss_type;
- u8 bssid[ETH_ALEN];
- struct iw_mgmt_essid_pset ssid;
- struct iw_mgmt_ds_pset ds_pset;
- struct iw_mgmt_cf_pset cf_pset;
- struct iw_mgmt_ibss_pset ibss_pset;
- struct iw_mgmt_data_rset bss_basic_rset;
+ struct {
+ u16 beacon_period;
+ u16 dtim_period;
+ u16 cap_info;
+ u8 bss_type;
+ u8 bssid[ETH_ALEN];
+ struct iw_mgmt_essid_pset ssid;
+ struct iw_mgmt_ds_pset ds_pset;
+ struct iw_mgmt_cf_pset cf_pset;
+ struct iw_mgmt_ibss_pset ibss_pset;
+ struct iw_mgmt_data_rset bss_basic_rset;
+ } req;
};
struct wl3501_join_confirm {
diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
index 384bf84dfa51..e4f467116bab 100644
--- a/drivers/net/wireless/wl3501_cs.c
+++ b/drivers/net/wireless/wl3501_cs.c
@@ -589,7 +589,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
struct wl3501_join_req sig = {
.sig_id = WL3501_SIG_JOIN_REQ,
.timeout = 10,
- .ds_pset = {
+ .req.ds_pset = {
.el = {
.id = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET,
.len = 1,
@@ -598,7 +598,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
},
};
- memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72);
+ memcpy(&sig.req, &this->bss_set[stas].beacon_period, sizeof(sig.req));
return wl3501_esbq_exec(this, &sig, sizeof(sig));
}
--
2.27.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-31 22:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-31 21:14 [PATCH 0/2][next] wl3501_cs: Fix out-of-bounds warnings Gustavo A. R. Silva
2021-03-31 21:15 ` [PATCH 1/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_send_pkt Gustavo A. R. Silva
2021-03-31 21:16 ` [PATCH 2/2][next] wl3501_cs: Fix out-of-bounds warning in wl3501_mgmt_join Gustavo A. R. Silva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).