| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Apr 2021 14:39:10 +0000 (UTC)
From: Kalle Valo <kvalo@...eaurora.org>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: linux-kernel@...r.kernel.org,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-hardening@...r.kernel.org,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH v3 1/2] wl3501_cs: Fix out-of-bounds warnings in
wl3501_send_pkt
"Gustavo A. R. Silva" <gustavoars@...nel.org> wrote:
> Fix the following out-of-bounds warnings by enclosing structure members
> daddr and saddr into new struct addr, in structures wl3501_md_req and
> wl3501_md_ind:
>
> arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
> arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
>
> Refactor the code, accordingly:
>
> $ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o
> struct wl3501_md_req {
> u16 next_blk; /* 0 2 */
> u8 sig_id; /* 2 1 */
> u8 routing; /* 3 1 */
> u16 data; /* 4 2 */
> u16 size; /* 6 2 */
> u8 pri; /* 8 1 */
> u8 service_class; /* 9 1 */
> struct {
> u8 daddr[6]; /* 10 6 */
> u8 saddr[6]; /* 16 6 */
> } addr; /* 10 12 */
>
> /* size: 22, cachelines: 1, members: 8 */
> /* last cacheline: 22 bytes */
> };
>
> $ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o
> struct wl3501_md_ind {
> u16 next_blk; /* 0 2 */
> u8 sig_id; /* 2 1 */
> u8 routing; /* 3 1 */
> u16 data; /* 4 2 */
> u16 size; /* 6 2 */
> u8 reception; /* 8 1 */
> u8 pri; /* 9 1 */
> u8 service_class; /* 10 1 */
> struct {
> u8 daddr[6]; /* 11 6 */
> u8 saddr[6]; /* 17 6 */
> } addr; /* 11 12 */
>
> /* size: 24, cachelines: 1, members: 9 */
> /* padding: 1 */
> /* last cacheline: 24 bytes */
> };
>
> The problem is that the original code is trying to copy data into a
> couple of arrays adjacent to each other in a single call to memcpy().
> Now that a new struct _addr_ enclosing those two adjacent arrays
> is introduced, memcpy() doesn't overrun the length of &sig.daddr[0]
> and &sig.daddr, because the address of the new struct object _addr_
> is used, instead.
>
> This helps with the ongoing efforts to globally enable -Warray-bounds
> and get us closer to being able to tighten the FORTIFY_SOURCE routines
> on memcpy().
>
> Link: https://github.com/KSPP/linux/issues/109
> Reported-by: kernel test robot <lkp@...el.com>
> Reviewed-by: Kees Cook <keescook@...omium.org>
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
2 patches applied to wireless-drivers-next.git, thanks.
820aa37638a2 wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt
bb43e5718d8f wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join
--
https://patchwork.kernel.org/project/linux-wireless/patch/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Powered by blists - more mailing lists