* [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data()
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
@ 2022-01-15 4:24 ` Kees Cook
2022-01-15 4:24 ` [PATCH 2/3 v2] staging: rtl8723bs: " Kees Cook
2022-01-15 4:24 ` [PATCH 3/3 v2] staging: rtl8712: " Kees Cook
2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-01-15 4:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Kees Cook, Larry Finger, Phillip Potter, Michael Straube,
Fabio Aiuto, linux-staging, Florian Schilhabel,
Christophe JAILLET, Zhansaya Bagdauletkyzy, Ivan Safonov,
Martin Kaiser, Yang Li, Nathan Chancellor, Hans de Goede,
Dan Carpenter, Marco Cesati, Joe Perches, Fabio M. De Francesco,
linux-kernel, linux-hardening
When building with -Warray-bounds, the following warning is emitted:
In file included from ./include/linux/string.h:253,
from ./arch/x86/include/asm/page_32.h:22,
from ./arch/x86/include/asm/page.h:14,
from ./arch/x86/include/asm/thread_info.h:12,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:7,
from ./include/linux/preempt.h:78,
from ./include/linux/rcupdate.h:27,
from ./include/linux/rculist.h:11,
from ./include/linux/sched/signal.h:5,
from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
In function 'memcpy',
inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
41 | #define __underlying_memcpy __builtin_memcpy
| ^
This is because the compiler sees it is possible for "ptr" to be a NULL
value, and concludes that it has zero size and attempts to copy to it
would overflow. Instead, remove the get_recvframe_data() entirely, as
it's not possible for this to ever be NULL.
Additionally add missing NULL checks after recvframe_pull() (which are
present in the rtl8712 driver).
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Michael Straube <straube.linux@gmail.com>
Cc: Fabio Aiuto <fabioaiuto83@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/staging/r8188eu/core/rtw_recv.c | 6 +++++-
drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c | 4 +---
drivers/staging/r8188eu/include/rtw_recv.h | 9 ---------
3 files changed, 6 insertions(+), 13 deletions(-)
diff --git a/drivers/staging/r8188eu/core/rtw_recv.c b/drivers/staging/r8188eu/core/rtw_recv.c
index 51a13262a226..946e659ae97a 100644
--- a/drivers/staging/r8188eu/core/rtw_recv.c
+++ b/drivers/staging/r8188eu/core/rtw_recv.c
@@ -1188,7 +1188,7 @@ static int wlanhdr_to_ethhdr(struct recv_frame *precvframe)
struct adapter *adapter = precvframe->adapter;
struct mlme_priv *pmlmepriv = &adapter->mlmepriv;
- u8 *ptr = get_recvframe_data(precvframe); /* point to frame_ctrl field */
+ u8 *ptr = precvframe->rx_data; /* point to frame_ctrl field */
struct rx_pkt_attrib *pattrib = &precvframe->attrib;
if (pattrib->encrypt)
@@ -1223,10 +1223,14 @@ static int wlanhdr_to_ethhdr(struct recv_frame *precvframe)
eth_type = 0x8712;
/* append rx status for mp test packets */
ptr = recvframe_pull(precvframe, (rmv_len - sizeof(struct ethhdr) + 2) - 24);
+ if (!ptr)
+ return _FAIL;
memcpy(ptr, get_rxmem(precvframe), 24);
ptr += 24;
} else {
ptr = recvframe_pull(precvframe, (rmv_len - sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
+ if (!ptr)
+ return _FAIL;
}
memcpy(ptr, pattrib->dst, ETH_ALEN);
diff --git a/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c b/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c
index 90d426199f52..bf93ff3af140 100644
--- a/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c
+++ b/drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c
@@ -128,7 +128,7 @@ void update_recvframe_phyinfo_88e(struct recv_frame *precvframe, struct phy_stat
struct rx_pkt_attrib *pattrib = &precvframe->attrib;
struct hal_data_8188e *pHalData = &padapter->haldata;
struct phy_info *pPHYInfo = &pattrib->phy_info;
- u8 *wlanhdr;
+ u8 *wlanhdr = precvframe->rx_data;
struct odm_per_pkt_info pkt_info;
u8 *sa = NULL;
struct sta_priv *pstapriv;
@@ -138,8 +138,6 @@ void update_recvframe_phyinfo_88e(struct recv_frame *precvframe, struct phy_stat
pkt_info.bPacketToSelf = false;
pkt_info.bPacketBeacon = false;
- wlanhdr = get_recvframe_data(precvframe);
-
pkt_info.bPacketMatchBSSID = ((!IsFrameTypeCtrl(wlanhdr)) &&
!pattrib->icv_err && !pattrib->crc_err &&
!memcmp(get_hdr_bssid(wlanhdr),
diff --git a/drivers/staging/r8188eu/include/rtw_recv.h b/drivers/staging/r8188eu/include/rtw_recv.h
index b43a46887343..920f33235e00 100644
--- a/drivers/staging/r8188eu/include/rtw_recv.h
+++ b/drivers/staging/r8188eu/include/rtw_recv.h
@@ -296,15 +296,6 @@ static inline u8 *get_rx_status(struct recv_frame *precvframe)
return get_rxmem(precvframe);
}
-static inline u8 *get_recvframe_data(struct recv_frame *precvframe)
-{
- /* always return rx_data */
- if (precvframe == NULL)
- return NULL;
-
- return precvframe->rx_data;
-}
-
static inline u8 *recvframe_push(struct recv_frame *precvframe, int sz)
{
/* append data before rx_data */
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/3 v2] staging: rtl8723bs: Drop get_recvframe_data()
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
2022-01-15 4:24 ` [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data() Kees Cook
@ 2022-01-15 4:24 ` Kees Cook
2022-01-15 4:24 ` [PATCH 3/3 v2] staging: rtl8712: " Kees Cook
2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-01-15 4:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Kees Cook, Larry Finger, Phillip Potter, Michael Straube,
Fabio Aiuto, linux-staging, Florian Schilhabel,
Christophe JAILLET, Zhansaya Bagdauletkyzy, Ivan Safonov,
Martin Kaiser, Yang Li, Nathan Chancellor, Hans de Goede,
Dan Carpenter, Marco Cesati, Joe Perches, Fabio M. De Francesco,
linux-kernel, linux-hardening
When building with -Warray-bounds, the following warning is emitted:
In file included from ./include/linux/string.h:253,
from ./arch/x86/include/asm/page_32.h:22,
from ./arch/x86/include/asm/page.h:14,
from ./arch/x86/include/asm/thread_info.h:12,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:7,
from ./include/linux/preempt.h:78,
from ./include/linux/rcupdate.h:27,
from ./include/linux/rculist.h:11,
from ./include/linux/sched/signal.h:5,
from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
In function 'memcpy',
inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
41 | #define __underlying_memcpy __builtin_memcpy
| ^
This is because the compiler sees it is possible for "ptr" to be a NULL
value, and concludes that it has zero size and attempts to copy to it
would overflow. Instead, remove the get_recvframe_data() entirely, as
it's not possible for this to ever be NULL.
Additionally add missing NULL checks after recvframe_pull() (which are
present in the rtl8712 driver).
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Michael Straube <straube.linux@gmail.com>
Cc: Fabio Aiuto <fabioaiuto83@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/staging/rtl8723bs/core/rtw_recv.c | 11 ++++++++---
drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c | 3 +--
drivers/staging/rtl8723bs/include/rtw_recv.h | 11 -----------
3 files changed, 9 insertions(+), 16 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index 41bfca549c64..ffb455688a7d 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -465,7 +465,7 @@ static union recv_frame *portctrl(struct adapter *adapter, union recv_frame *pre
auth_alg = adapter->securitypriv.dot11AuthAlgrthm;
- ptr = get_recvframe_data(precv_frame);
+ ptr = precvframe->u.hdr.rx_data;
pfhdr = &precv_frame->u.hdr;
pattrib = &pfhdr->attrib;
psta_addr = pattrib->ta;
@@ -1510,7 +1510,7 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe)
__be16 be_tmp;
struct adapter *adapter = precvframe->u.hdr.adapter;
struct mlme_priv *pmlmepriv = &adapter->mlmepriv;
- u8 *ptr = get_recvframe_data(precvframe) ; /* point to frame_ctrl field */
+ u8 *ptr = precvframe->u.hdr.rx_data; /* point to frame_ctrl field */
struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib;
if (pattrib->encrypt)
@@ -1546,10 +1546,15 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe)
eth_type = 0x8712;
/* append rx status for mp test packets */
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr)+2)-24);
+ if (!ptr)
+ return _FAIL;
memcpy(ptr, get_rxmem(precvframe), 24);
ptr += 24;
- } else
+ } else {
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr) + (bsnaphdr?2:0)));
+ if (!ptr)
+ return _FAIL;
+ }
memcpy(ptr, pattrib->dst, ETH_ALEN);
memcpy(ptr+ETH_ALEN, pattrib->src, ETH_ALEN);
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
index c0a1a6fbeb91..74e75dc970f7 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
@@ -81,7 +81,7 @@ static void update_recvframe_phyinfo(union recv_frame *precvframe,
struct odm_phy_info *p_phy_info =
(struct odm_phy_info *)(&pattrib->phy_info);
- u8 *wlanhdr;
+ u8 *wlanhdr = precvframe->u.hdr.rx_data;
u8 *my_bssid;
u8 *rx_bssid;
u8 *rx_ra;
@@ -100,7 +100,6 @@ static void update_recvframe_phyinfo(union recv_frame *precvframe,
struct sta_priv *pstapriv;
struct sta_info *psta;
- wlanhdr = get_recvframe_data(precvframe);
my_bssid = get_bssid(&padapter->mlmepriv);
rx_bssid = get_hdr_bssid(wlanhdr);
pkt_info.bssid_match = ((!IsFrameTypeCtrl(wlanhdr)) &&
diff --git a/drivers/staging/rtl8723bs/include/rtw_recv.h b/drivers/staging/rtl8723bs/include/rtw_recv.h
index a88b7c088a86..44f67103503a 100644
--- a/drivers/staging/rtl8723bs/include/rtw_recv.h
+++ b/drivers/staging/rtl8723bs/include/rtw_recv.h
@@ -385,17 +385,6 @@ static inline u8 *get_rxmem(union recv_frame *precvframe)
return precvframe->u.hdr.rx_head;
}
-static inline u8 *get_recvframe_data(union recv_frame *precvframe)
-{
-
- /* alwasy return rx_data */
- if (precvframe == NULL)
- return NULL;
-
- return precvframe->u.hdr.rx_data;
-
-}
-
static inline u8 *recvframe_pull(union recv_frame *precvframe, signed int sz)
{
/* rx_data += sz; move rx_data sz bytes hereafter */
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3 v2] staging: rtl8712: Drop get_recvframe_data()
2022-01-15 4:24 [PATCH 0/3 v2] staging: rtl*: Check for NULL header value Kees Cook
2022-01-15 4:24 ` [PATCH 1/3 v2] staging: r8188eu: Drop get_recvframe_data() Kees Cook
2022-01-15 4:24 ` [PATCH 2/3 v2] staging: rtl8723bs: " Kees Cook
@ 2022-01-15 4:24 ` Kees Cook
2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2022-01-15 4:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Kees Cook, Larry Finger, Florian Schilhabel, Christophe JAILLET,
Zhansaya Bagdauletkyzy, Ivan Safonov, linux-staging,
Phillip Potter, Michael Straube, Fabio Aiuto, Martin Kaiser,
Yang Li, Nathan Chancellor, Hans de Goede, Dan Carpenter,
Marco Cesati, Joe Perches, Fabio M. De Francesco, linux-kernel,
linux-hardening
As done for rtl8723bs and r8188eu, drop get_recvframe_data(), as it
introduces an impossible value (NULL) for the compiler to check code
paths against which could result in nonsensical warnings.
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Florian Schilhabel <florian.c.schilhabel@googlemail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: Zhansaya Bagdauletkyzy <zhansayabagdaulet@gmail.com>
Cc: Ivan Safonov <insafonov@gmail.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/staging/rtl8712/rtl871x_recv.c | 4 ++--
drivers/staging/rtl8712/rtl871x_recv.h | 8 --------
2 files changed, 2 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
index c23f6b376111..a069e4d98eef 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.c
+++ b/drivers/staging/rtl8712/rtl871x_recv.c
@@ -234,7 +234,7 @@ union recv_frame *r8712_portctrl(struct _adapter *adapter,
u16 ether_type;
pstapriv = &adapter->stapriv;
- ptr = get_recvframe_data(precv_frame);
+ ptr = precvframe->u.hdr.rx_data;
pfhdr = &precv_frame->u.hdr;
psta_addr = pfhdr->attrib.ta;
psta = r8712_get_stainfo(pstapriv, psta_addr);
@@ -593,7 +593,7 @@ int r8712_wlanhdr_to_ethhdr(union recv_frame *precvframe)
struct _adapter *adapter = precvframe->u.hdr.adapter;
struct mlme_priv *pmlmepriv = &adapter->mlmepriv;
- u8 *ptr = get_recvframe_data(precvframe); /*point to frame_ctrl field*/
+ u8 *ptr = precvframe->u.hdr.rx_data; /*point to frame_ctrl field*/
struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib;
if (pattrib->encrypt)
diff --git a/drivers/staging/rtl8712/rtl871x_recv.h b/drivers/staging/rtl8712/rtl871x_recv.h
index 1c8298bde033..0760bccbf389 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.h
+++ b/drivers/staging/rtl8712/rtl871x_recv.h
@@ -139,14 +139,6 @@ static inline u8 *get_rxmem(union recv_frame *precvframe)
return precvframe->u.hdr.rx_head;
}
-static inline u8 *get_recvframe_data(union recv_frame *precvframe)
-{
- /* always return rx_data */
- if (!precvframe)
- return NULL;
- return precvframe->u.hdr.rx_data;
-}
-
static inline u8 *recvframe_pull(union recv_frame *precvframe, sint sz)
{
/* used for extract sz bytes from rx_data, update rx_data and return
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread