From: Dan Carpenter <dan.carpenter@oracle.com>
To: Lee Gibson <leegib@gmail.com>
Cc: gregkh@linuxfoundation.org, devel@driverdev.osuosl.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
Date: Fri, 26 Feb 2021 17:05:26 +0300 [thread overview]
Message-ID: <20210226140526.GG2222@kadam> (raw)
In-Reply-To: <20210226134333.GA2087@kadam>
Here is a v2 of my check. I've changed it to mark all "->ssid" and
everything in "(struct ieee80211_network)" as protected. I'm just
playing around with it at this point to explore what works best. It's
impossible to know until after some results come back.
regards,
dan carpenter
#include "smatch.h"
#include "smatch_slist.h"
#include "smatch_extra.h"
static int my_id;
static struct {
const char *type_name;
int len;
} member_list[] = {
{ "(struct ieee80211_network)->ssid", 32 },
{ "(struct rtllib_network)->ssid", 32 },
};
static void match_memset(const char *fn, struct expression *expr, void *_unused)
{
struct expression *dest, *size_arg;
struct range_list *rl;
char *member_name;
int dest_size = 0;
int i;
dest = get_argument_from_call_expr(expr->args, 0);
size_arg = get_argument_from_call_expr(expr->args, 2);
if (!dest || !size_arg)
return;
member_name = get_member_name(dest);
if (!member_name)
return;
for (i = 0; i < ARRAY_SIZE(member_list); i++) {
if (strcmp(member_name, member_list[i].type_name) == 0) {
dest_size = member_list[i].len;
goto check;
}
}
if (strstr(member_name, "->ssid"))
goto check;
if (strncmp(member_name, "(struct ieee80211_network)", 26) == 0)
goto check;
goto free;
check:
get_absolute_rl(size_arg, &rl);
if (!dest_size)
dest_size = get_array_size_bytes(dest);
if (rl_max(rl).value <= dest_size)
goto free;
if (dest_size <= 0 && is_capped(size_arg))
goto free;
sm_msg("protected struct member '%s' overflow: rl='%s'", member_name, show_rl(rl));
free:
free_string(member_name);
}
void check_protected_member(int id)
{
if (option_project != PROJ_KERNEL)
return;
my_id = id;
add_function_hook("memcpy", &match_memset, NULL);
add_function_hook("__memcpy", &match_memset, NULL);
}
next prev parent reply other threads:[~2021-02-26 14:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-26 11:48 [PATCH] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan Lee Gibson
2021-02-26 12:06 ` Greg KH
2021-02-26 12:30 ` Dan Carpenter
2021-02-26 13:43 ` Dan Carpenter
2021-02-26 14:05 ` Dan Carpenter [this message]
2021-03-01 13:25 ` Dan Carpenter
2021-03-01 15:37 ` Lee
2021-03-05 8:22 ` Dan Carpenter
2021-03-05 15:00 ` Lee
2021-03-08 7:57 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210226140526.GG2222@kadam \
--to=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=leegib@gmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).