* [PATCH] iwlwifi: calib: Refactor iwl_calib_result usage for clarity
@ 2022-09-01 20:45 Kees Cook
2022-09-02 3:20 ` Kalle Valo
2022-09-07 7:16 ` wifi: " Kalle Valo
0 siblings, 2 replies; 3+ messages in thread
From: Kees Cook @ 2022-09-01 20:45 UTC (permalink / raw)
To: Luca Coelho
Cc: Kees Cook, Kalle Valo, David S. Miller, Jakub Kicinski,
Lee Jones, Johannes Berg, linux-wireless, netdev, Andy Lavr,
Kalle Valo, Gregory Greenman, Eric Dumazet, Paolo Abeni,
linux-kernel, linux-hardening
In preparation for FORTIFY_SOURCE performing run-time destination buffer
bounds checking for memcpy(), refactor the use of struct iwl_calib_result:
- Have struct iwl_calib_result contain struct iwl_calib_cmd since
functions expect to operate on the "data" flex array in "cmd", which
follows the "hdr" member.
- Switch argument passing around to use struct iwl_calib_cmd instead of
struct iwl_calib_hdr to prepare functions to see the "data" member.
- Change iwl_calib_set()'s "len" argument to a size_t since it is always
unsigned and is normally receiving the output of sizeof().
- Add an explicit length sanity check in iwl_calib_set().
- Adjust the memcpy() to avoid copying across the now visible composite
flex array structure.
This avoids the future run-time warning:
memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4)
Cc: Luca Coelho <luciano.coelho@intel.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Lee Jones <lee.jones@linaro.org>
Cc: Johannes Berg <johannes.berg@intel.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Reported-by: Andy Lavr <andy.lavr@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/wireless/intel/iwlwifi/dvm/agn.h | 2 +-
.../net/wireless/intel/iwlwifi/dvm/calib.c | 22 ++++++++++---------
.../net/wireless/intel/iwlwifi/dvm/ucode.c | 8 +++----
3 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h
index 411a6f6638b4..fefaa414272b 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/agn.h
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/agn.h
@@ -112,7 +112,7 @@ int iwl_load_ucode_wait_alive(struct iwl_priv *priv,
enum iwl_ucode_type ucode_type);
int iwl_send_calib_results(struct iwl_priv *priv);
int iwl_calib_set(struct iwl_priv *priv,
- const struct iwl_calib_hdr *cmd, int len);
+ const struct iwl_calib_cmd *cmd, size_t len);
void iwl_calib_free_results(struct iwl_priv *priv);
int iwl_dump_nic_event_log(struct iwl_priv *priv, bool full_log,
char **buf);
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
index a11884fa254b..f488620d2844 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c
@@ -19,8 +19,7 @@
struct iwl_calib_result {
struct list_head list;
size_t cmd_len;
- struct iwl_calib_hdr hdr;
- /* data follows */
+ struct iwl_calib_cmd cmd;
};
struct statistics_general_data {
@@ -43,12 +42,12 @@ int iwl_send_calib_results(struct iwl_priv *priv)
int ret;
hcmd.len[0] = res->cmd_len;
- hcmd.data[0] = &res->hdr;
+ hcmd.data[0] = &res->cmd;
hcmd.dataflags[0] = IWL_HCMD_DFL_NOCOPY;
ret = iwl_dvm_send_cmd(priv, &hcmd);
if (ret) {
IWL_ERR(priv, "Error %d on calib cmd %d\n",
- ret, res->hdr.op_code);
+ ret, res->cmd.hdr.op_code);
return ret;
}
}
@@ -57,19 +56,22 @@ int iwl_send_calib_results(struct iwl_priv *priv)
}
int iwl_calib_set(struct iwl_priv *priv,
- const struct iwl_calib_hdr *cmd, int len)
+ const struct iwl_calib_cmd *cmd, size_t len)
{
struct iwl_calib_result *res, *tmp;
- res = kmalloc(sizeof(*res) + len - sizeof(struct iwl_calib_hdr),
- GFP_ATOMIC);
+ if (check_sub_overflow(len, sizeof(*cmd), &len))
+ return -ENOMEM;
+
+ res = kmalloc(struct_size(res, cmd.data, len), GFP_ATOMIC);
if (!res)
return -ENOMEM;
- memcpy(&res->hdr, cmd, len);
- res->cmd_len = len;
+ res->cmd = *cmd;
+ memcpy(res->cmd.data, cmd->data, len);
+ res->cmd_len = struct_size(cmd, data, len);
list_for_each_entry(tmp, &priv->calib_results, list) {
- if (tmp->hdr.op_code == res->hdr.op_code) {
+ if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) {
list_replace(&tmp->list, &res->list);
kfree(tmp);
return 0;
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c
index 4b27a53d0bb4..bb13ca5d666c 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/ucode.c
@@ -356,18 +356,18 @@ static bool iwlagn_wait_calib(struct iwl_notif_wait_data *notif_wait,
struct iwl_rx_packet *pkt, void *data)
{
struct iwl_priv *priv = data;
- struct iwl_calib_hdr *hdr;
+ struct iwl_calib_cmd *cmd;
if (pkt->hdr.cmd != CALIBRATION_RES_NOTIFICATION) {
WARN_ON(pkt->hdr.cmd != CALIBRATION_COMPLETE_NOTIFICATION);
return true;
}
- hdr = (struct iwl_calib_hdr *)pkt->data;
+ cmd = (struct iwl_calib_cmd *)pkt->data;
- if (iwl_calib_set(priv, hdr, iwl_rx_packet_payload_len(pkt)))
+ if (iwl_calib_set(priv, cmd, iwl_rx_packet_payload_len(pkt)))
IWL_ERR(priv, "Failed to record calibration data %d\n",
- hdr->op_code);
+ cmd->hdr.op_code);
return false;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] iwlwifi: calib: Refactor iwl_calib_result usage for clarity
2022-09-01 20:45 [PATCH] iwlwifi: calib: Refactor iwl_calib_result usage for clarity Kees Cook
@ 2022-09-02 3:20 ` Kalle Valo
2022-09-07 7:16 ` wifi: " Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2022-09-02 3:20 UTC (permalink / raw)
To: Kees Cook
Cc: Luca Coelho, David S. Miller, Jakub Kicinski, Lee Jones,
Johannes Berg, linux-wireless, netdev, Andy Lavr,
Gregory Greenman, Eric Dumazet, Paolo Abeni, linux-kernel,
linux-hardening
Kees Cook <keescook@chromium.org> writes:
> In preparation for FORTIFY_SOURCE performing run-time destination buffer
> bounds checking for memcpy(), refactor the use of struct iwl_calib_result:
>
> - Have struct iwl_calib_result contain struct iwl_calib_cmd since
> functions expect to operate on the "data" flex array in "cmd", which
> follows the "hdr" member.
> - Switch argument passing around to use struct iwl_calib_cmd instead of
> struct iwl_calib_hdr to prepare functions to see the "data" member.
> - Change iwl_calib_set()'s "len" argument to a size_t since it is always
> unsigned and is normally receiving the output of sizeof().
> - Add an explicit length sanity check in iwl_calib_set().
> - Adjust the memcpy() to avoid copying across the now visible composite
> flex array structure.
>
> This avoids the future run-time warning:
>
> memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4)
>
> Cc: Luca Coelho <luciano.coelho@intel.com>
> Cc: Kalle Valo <kvalo@codeaurora.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Lee Jones <lee.jones@linaro.org>
> Cc: Johannes Berg <johannes.berg@intel.com>
> Cc: linux-wireless@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Reported-by: Andy Lavr <andy.lavr@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Gregory, as this fixes a future warning can I take this directly to
wireless-next?
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: wifi: iwlwifi: calib: Refactor iwl_calib_result usage for clarity
2022-09-01 20:45 [PATCH] iwlwifi: calib: Refactor iwl_calib_result usage for clarity Kees Cook
2022-09-02 3:20 ` Kalle Valo
@ 2022-09-07 7:16 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2022-09-07 7:16 UTC (permalink / raw)
To: Kees Cook
Cc: Luca Coelho, Kees Cook, Kalle Valo, David S. Miller,
Jakub Kicinski, Lee Jones, Johannes Berg, linux-wireless, netdev,
Andy Lavr, Gregory Greenman, Eric Dumazet, Paolo Abeni,
linux-kernel, linux-hardening
Kees Cook <keescook@chromium.org> wrote:
> In preparation for FORTIFY_SOURCE performing run-time destination buffer
> bounds checking for memcpy(), refactor the use of struct iwl_calib_result:
>
> - Have struct iwl_calib_result contain struct iwl_calib_cmd since
> functions expect to operate on the "data" flex array in "cmd", which
> follows the "hdr" member.
> - Switch argument passing around to use struct iwl_calib_cmd instead of
> struct iwl_calib_hdr to prepare functions to see the "data" member.
> - Change iwl_calib_set()'s "len" argument to a size_t since it is always
> unsigned and is normally receiving the output of sizeof().
> - Add an explicit length sanity check in iwl_calib_set().
> - Adjust the memcpy() to avoid copying across the now visible composite
> flex array structure.
>
> This avoids the future run-time warning:
>
> memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4)
>
> Cc: Luca Coelho <luciano.coelho@intel.com>
> Cc: Kalle Valo <kvalo@codeaurora.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Lee Jones <lee.jones@linaro.org>
> Cc: Johannes Berg <johannes.berg@intel.com>
> Cc: linux-wireless@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Reported-by: Andy Lavr <andy.lavr@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Patch applied to wireless-next.git, thanks.
0d24201f47c4 wifi: iwlwifi: calib: Refactor iwl_calib_result usage for clarity
--
https://patchwork.kernel.org/project/linux-wireless/patch/20220901204558.2256458-1-keescook@chromium.org/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-07 7:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-01 20:45 [PATCH] iwlwifi: calib: Refactor iwl_calib_result usage for clarity Kees Cook
2022-09-02 3:20 ` Kalle Valo
2022-09-07 7:16 ` wifi: " Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).