* [PATCH 0/3 v2] staging: rtl*: Check for NULL header value
@ 2022-01-15 4:24 Kees Cook
2022-01-15 4:24 ` [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data() Kees Cook
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Kees Cook @ 2022-01-15 4:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Kees Cook, Larry Finger, Phillip Potter, Michael Straube,
Fabio Aiuto, Florian Schilhabel, Christophe JAILLET,
Zhansaya Bagdauletkyzy, Ivan Safonov, Martin Kaiser, Yang Li,
Nathan Chancellor, Hans de Goede, Dan Carpenter, Marco Cesati,
Joe Perches, Fabio M. De Francesco, linux-kernel, linux-staging,
linux-hardening
Hi,
When building with -Warray-bounds, the following warning is emitted:
In file included from ./include/linux/string.h:253,
from ./arch/x86/include/asm/page_32.h:22,
from ./arch/x86/include/asm/page.h:14,
from ./arch/x86/include/asm/thread_info.h:12,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:7,
from ./include/linux/preempt.h:78,
from ./include/linux/rcupdate.h:27,
from ./include/linux/rculist.h:11,
from ./include/linux/sched/signal.h:5,
from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
In function 'memcpy',
inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
41 | #define __underlying_memcpy __builtin_memcpy
| ^
This is due to various paths to the memcpy() where the compile could
see the destination buffer having a NULL value. This series fixes this
by both eliminating cases where NULL returns were impossible and adding
missing NULL checks where values were possible.
Thanks!
-Kees
v1: https://lore.kernel.org/lkml/20220113002001.3498383-1-keescook@chromium.org/
v2:
- drop get_recvframe_data()
- add missing NULL checks to r8188eu and rtl8723bs (already present in rtl8712)
Kees Cook (3):
staging: r8188eu: Drop get_recvframe_data()
staging: rtl8723bs: Drop get_recvframe_data()
staging: rtl8712: Drop get_recvframe_data()
drivers/staging/r8188eu/core/rtw_recv.c | 6 +++++-
drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c | 4 +---
drivers/staging/r8188eu/include/rtw_recv.h | 9 ---------
drivers/staging/rtl8712/rtl871x_recv.c | 4 ++--
drivers/staging/rtl8712/rtl871x_recv.h | 8 --------
drivers/staging/rtl8723bs/core/rtw_recv.c | 11 ++++++++---
drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c | 3 +--
drivers/staging/rtl8723bs/include/rtw_recv.h | 11 -----------
8 files changed, 17 insertions(+), 39 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data()
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
@ 2022-01-15 4:24 ` Kees Cook
2022-01-15 4:24 ` [PATCH 2/3 v2] staging: rtl8723bs: " Kees Cook
2022-01-15 4:24 ` [PATCH 3/3 v2] staging: rtl8712: " Kees Cook
2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-01-15 4:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Kees Cook, Larry Finger, Phillip Potter, Michael Straube,
Fabio Aiuto, linux-staging, Florian Schilhabel,
Christophe JAILLET, Zhansaya Bagdauletkyzy, Ivan Safonov,
Martin Kaiser, Yang Li, Nathan Chancellor, Hans de Goede,
Dan Carpenter, Marco Cesati, Joe Perches, Fabio M. De Francesco,
linux-kernel, linux-hardening
When building with -Warray-bounds, the following warning is emitted:
In file included from ./include/linux/string.h:253,
from ./arch/x86/include/asm/page_32.h:22,
from ./arch/x86/include/asm/page.h:14,
from ./arch/x86/include/asm/thread_info.h:12,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:7,
from ./include/linux/preempt.h:78,
from ./include/linux/rcupdate.h:27,
from ./include/linux/rculist.h:11,
from ./include/linux/sched/signal.h:5,
from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
In function 'memcpy',
inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
41 | #define __underlying_memcpy __builtin_memcpy
| ^
This is because the compiler sees it is possible for "ptr" to be a NULL
value, and concludes that it has zero size and attempts to copy to it
would overflow. Instead, remove the get_recvframe_data() entirely, as
it's not possible for this to ever be NULL.
Additionally add missing NULL checks after recvframe_pull() (which are
present in the rtl8712 driver).
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Michael Straube <straube.linux@gmail.com>
Cc: Fabio Aiuto <fabioaiuto83@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/staging/r8188eu/core/rtw_recv.c | 6 +++++-
drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c | 4 +---
drivers/staging/r8188eu/include/rtw_recv.h | 9 ---------
3 files changed, 6 insertions(+), 13 deletions(-)
diff --git a/drivers/staging/r8188eu/core/rtw_recv.c b/drivers/staging/r8188eu/core/rtw_recv.c
index 51a13262a226..946e659ae97a 100644
--- a/drivers/staging/r8188eu/core/rtw_recv.c
+++ b/drivers/staging/r8188eu/core/rtw_recv.c
@@ -1188,7 +1188,7 @@ static int wlanhdr_to_ethhdr(struct recv_frame *precvframe)
struct adapter *adapter = precvframe->adapter;
struct mlme_priv *pmlmepriv = &adapter->mlmepriv;
- u8 *ptr = get_recvframe_data(precvframe); /* point to frame_ctrl field */
+ u8 *ptr = precvframe->rx_data; /* point to frame_ctrl field */
struct rx_pkt_attrib *pattrib = &precvframe->attrib;
if (pattrib->encrypt)
@@ -1223,10 +1223,14 @@ static int wlanhdr_to_ethhdr(struct recv_frame *precvframe)
eth_type = 0x8712;
/* append rx status for mp test packets */
ptr = recvframe_pull(precvframe, (rmv_len - sizeof(struct ethhdr) + 2) - 24);
+ if (!ptr)
+ return _FAIL;
memcpy(ptr, get_rxmem(precvframe), 24);
ptr += 24;
} else {
ptr = recvframe_pull(precvframe, (rmv_len - sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
+ if (!ptr)
+ return _FAIL;
}
memcpy(ptr, pattrib->dst, ETH_ALEN);
diff --git a/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c b/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c
index 90d426199f52..bf93ff3af140 100644
--- a/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c
+++ b/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c
@@ -128,7 +128,7 @@ void update_recvframe_phyinfo_88e(struct recv_frame *precvframe, struct phy_stat
struct rx_pkt_attrib *pattrib = &precvframe->attrib;
struct hal_data_8188e *pHalData = &padapter->haldata;
struct phy_info *pPHYInfo = &pattrib->phy_info;
- u8 *wlanhdr;
+ u8 *wlanhdr = precvframe->rx_data;
struct odm_per_pkt_info pkt_info;
u8 *sa = NULL;
struct sta_priv *pstapriv;
@@ -138,8 +138,6 @@ void update_recvframe_phyinfo_88e(struct recv_frame *precvframe, struct phy_stat
pkt_info.bPacketToSelf = false;
pkt_info.bPacketBeacon = false;
- wlanhdr = get_recvframe_data(precvframe);
-
pkt_info.bPacketMatchBSSID = ((!IsFrameTypeCtrl(wlanhdr)) &&
!pattrib->icv_err && !pattrib->crc_err &&
!memcmp(get_hdr_bssid(wlanhdr),
diff --git a/drivers/staging/r8188eu/include/rtw_recv.h b/drivers/staging/r8188eu/include/rtw_recv.h
index b43a46887343..920f33235e00 100644
--- a/drivers/staging/r8188eu/include/rtw_recv.h
+++ b/drivers/staging/r8188eu/include/rtw_recv.h
@@ -296,15 +296,6 @@ static inline u8 *get_rx_status(struct recv_frame *precvframe)
return get_rxmem(precvframe);
}
-static inline u8 *get_recvframe_data(struct recv_frame *precvframe)
-{
- /* always return rx_data */
- if (precvframe == NULL)
- return NULL;
-
- return precvframe->rx_data;
-}
-
static inline u8 *recvframe_push(struct recv_frame *precvframe, int sz)
{
/* append data before rx_data */
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/3 v2] staging: rtl8723bs: Drop get_recvframe_data()
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
2022-01-15 4:24 ` [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data() Kees Cook
@ 2022-01-15 4:24 ` Kees Cook
2022-01-15 4:24 ` [PATCH 3/3 v2] staging: rtl8712: " Kees Cook
2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-01-15 4:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Kees Cook, Larry Finger, Phillip Potter, Michael Straube,
Fabio Aiuto, linux-staging, Florian Schilhabel,
Christophe JAILLET, Zhansaya Bagdauletkyzy, Ivan Safonov,
Martin Kaiser, Yang Li, Nathan Chancellor, Hans de Goede,
Dan Carpenter, Marco Cesati, Joe Perches, Fabio M. De Francesco,
linux-kernel, linux-hardening
When building with -Warray-bounds, the following warning is emitted:
In file included from ./include/linux/string.h:253,
from ./arch/x86/include/asm/page_32.h:22,
from ./arch/x86/include/asm/page.h:14,
from ./arch/x86/include/asm/thread_info.h:12,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:7,
from ./include/linux/preempt.h:78,
from ./include/linux/rcupdate.h:27,
from ./include/linux/rculist.h:11,
from ./include/linux/sched/signal.h:5,
from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
In function 'memcpy',
inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
41 | #define __underlying_memcpy __builtin_memcpy
| ^
This is because the compiler sees it is possible for "ptr" to be a NULL
value, and concludes that it has zero size and attempts to copy to it
would overflow. Instead, remove the get_recvframe_data() entirely, as
it's not possible for this to ever be NULL.
Additionally add missing NULL checks after recvframe_pull() (which are
present in the rtl8712 driver).
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Michael Straube <straube.linux@gmail.com>
Cc: Fabio Aiuto <fabioaiuto83@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/staging/rtl8723bs/core/rtw_recv.c | 11 ++++++++---
drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c | 3 +--
drivers/staging/rtl8723bs/include/rtw_recv.h | 11 -----------
3 files changed, 9 insertions(+), 16 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index 41bfca549c64..ffb455688a7d 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -465,7 +465,7 @@ static union recv_frame *portctrl(struct adapter *adapter, union recv_frame *pre
auth_alg = adapter->securitypriv.dot11AuthAlgrthm;
- ptr = get_recvframe_data(precv_frame);
+ ptr = precvframe->u.hdr.rx_data;
pfhdr = &precv_frame->u.hdr;
pattrib = &pfhdr->attrib;
psta_addr = pattrib->ta;
@@ -1510,7 +1510,7 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe)
__be16 be_tmp;
struct adapter *adapter = precvframe->u.hdr.adapter;
struct mlme_priv *pmlmepriv = &adapter->mlmepriv;
- u8 *ptr = get_recvframe_data(precvframe) ; /* point to frame_ctrl field */
+ u8 *ptr = precvframe->u.hdr.rx_data; /* point to frame_ctrl field */
struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib;
if (pattrib->encrypt)
@@ -1546,10 +1546,15 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe)
eth_type = 0x8712;
/* append rx status for mp test packets */
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr)+2)-24);
+ if (!ptr)
+ return _FAIL;
memcpy(ptr, get_rxmem(precvframe), 24);
ptr += 24;
- } else
+ } else {
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr) + (bsnaphdr?2:0)));
+ if (!ptr)
+ return _FAIL;
+ }
memcpy(ptr, pattrib->dst, ETH_ALEN);
memcpy(ptr+ETH_ALEN, pattrib->src, ETH_ALEN);
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
index c0a1a6fbeb91..74e75dc970f7 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
@@ -81,7 +81,7 @@ static void update_recvframe_phyinfo(union recv_frame *precvframe,
struct odm_phy_info *p_phy_info =
(struct odm_phy_info *)(&pattrib->phy_info);
- u8 *wlanhdr;
+ u8 *wlanhdr = precvframe->u.hdr.rx_data;
u8 *my_bssid;
u8 *rx_bssid;
u8 *rx_ra;
@@ -100,7 +100,6 @@ static void update_recvframe_phyinfo(union recv_frame *precvframe,
struct sta_priv *pstapriv;
struct sta_info *psta;
- wlanhdr = get_recvframe_data(precvframe);
my_bssid = get_bssid(&padapter->mlmepriv);
rx_bssid = get_hdr_bssid(wlanhdr);
pkt_info.bssid_match = ((!IsFrameTypeCtrl(wlanhdr)) &&
diff --git a/drivers/staging/rtl8723bs/include/rtw_recv.h b/drivers/staging/rtl8723bs/include/rtw_recv.h
index a88b7c088a86..44f67103503a 100644
--- a/drivers/staging/rtl8723bs/include/rtw_recv.h
+++ b/drivers/staging/rtl8723bs/include/rtw_recv.h
@@ -385,17 +385,6 @@ static inline u8 *get_rxmem(union recv_frame *precvframe)
return precvframe->u.hdr.rx_head;
}
-static inline u8 *get_recvframe_data(union recv_frame *precvframe)
-{
-
- /* alwasy return rx_data */
- if (precvframe == NULL)
- return NULL;
-
- return precvframe->u.hdr.rx_data;
-
-}
-
static inline u8 *recvframe_pull(union recv_frame *precvframe, signed int sz)
{
/* rx_data += sz; move rx_data sz bytes hereafter */
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3 v2] staging: rtl8712: Drop get_recvframe_data()
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
2022-01-15 4:24 ` [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data() Kees Cook
2022-01-15 4:24 ` [PATCH 2/3 v2] staging: rtl8723bs: " Kees Cook
@ 2022-01-15 4:24 ` Kees Cook
2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-01-15 4:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Kees Cook, Larry Finger, Florian Schilhabel, Christophe JAILLET,
Zhansaya Bagdauletkyzy, Ivan Safonov, linux-staging,
Phillip Potter, Michael Straube, Fabio Aiuto, Martin Kaiser,
Yang Li, Nathan Chancellor, Hans de Goede, Dan Carpenter,
Marco Cesati, Joe Perches, Fabio M. De Francesco, linux-kernel,
linux-hardening
As done for rtl8723bs and r8188eu, drop get_recvframe_data(), as it
introduces an impossible value (NULL) for the compiler to check code
paths against which could result in nonsensical warnings.
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Florian Schilhabel <florian.c.schilhabel@googlemail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: Zhansaya Bagdauletkyzy <zhansayabagdaulet@gmail.com>
Cc: Ivan Safonov <insafonov@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/staging/rtl8712/rtl871x_recv.c | 4 ++--
drivers/staging/rtl8712/rtl871x_recv.h | 8 --------
2 files changed, 2 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
index c23f6b376111..a069e4d98eef 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.c
+++ b/drivers/staging/rtl8712/rtl871x_recv.c
@@ -234,7 +234,7 @@ union recv_frame *r8712_portctrl(struct _adapter *adapter,
u16 ether_type;
pstapriv = &adapter->stapriv;
- ptr = get_recvframe_data(precv_frame);
+ ptr = precvframe->u.hdr.rx_data;
pfhdr = &precv_frame->u.hdr;
psta_addr = pfhdr->attrib.ta;
psta = r8712_get_stainfo(pstapriv, psta_addr);
@@ -593,7 +593,7 @@ int r8712_wlanhdr_to_ethhdr(union recv_frame *precvframe)
struct _adapter *adapter = precvframe->u.hdr.adapter;
struct mlme_priv *pmlmepriv = &adapter->mlmepriv;
- u8 *ptr = get_recvframe_data(precvframe); /*point to frame_ctrl field*/
+ u8 *ptr = precvframe->u.hdr.rx_data; /*point to frame_ctrl field*/
struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib;
if (pattrib->encrypt)
diff --git a/drivers/staging/rtl8712/rtl871x_recv.h b/drivers/staging/rtl8712/rtl871x_recv.h
index 1c8298bde033..0760bccbf389 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.h
+++ b/drivers/staging/rtl8712/rtl871x_recv.h
@@ -139,14 +139,6 @@ static inline u8 *get_rxmem(union recv_frame *precvframe)
return precvframe->u.hdr.rx_head;
}
-static inline u8 *get_recvframe_data(union recv_frame *precvframe)
-{
- /* always return rx_data */
- if (!precvframe)
- return NULL;
- return precvframe->u.hdr.rx_data;
-}
-
static inline u8 *recvframe_pull(union recv_frame *precvframe, sint sz)
{
/* used for extract sz bytes from rx_data, update rx_data and return
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-15 4:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
2022-01-15 4:24 ` [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data() Kees Cook
2022-01-15 4:24 ` [PATCH 2/3 v2] staging: rtl8723bs: " Kees Cook
2022-01-15 4:24 ` [PATCH 3/3 v2] staging: rtl8712: " Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).