| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220113044103.GN1978@kadam>
Date: Thu, 13 Jan 2022 07:41:03 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Kees Cook <keescook@...omium.org>
Cc: Larry Finger <Larry.Finger@...inger.net>,
Phillip Potter <phil@...lpotter.co.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michael Straube <straube.linux@...il.com>,
Fabio Aiuto <fabioaiuto83@...il.com>,
linux-staging@...ts.linux.dev, Hans de Goede <hdegoede@...hat.com>,
Marco Cesati <marcocesati@...il.com>,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] staging: rtl8723bs: Check for NULL header value
On Wed, Jan 12, 2022 at 04:20:01PM -0800, Kees Cook wrote:
> When building with -Warray-bounds, the following warning is emitted:
>
> In file included from ./include/linux/string.h:253,
> from ./arch/x86/include/asm/page_32.h:22,
> from ./arch/x86/include/asm/page.h:14,
> from ./arch/x86/include/asm/thread_info.h:12,
> from ./include/linux/thread_info.h:60,
> from ./arch/x86/include/asm/preempt.h:7,
> from ./include/linux/preempt.h:78,
> from ./include/linux/rcupdate.h:27,
> from ./include/linux/rculist.h:11,
> from ./include/linux/sched/signal.h:5,
> from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
> from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
> In function 'memcpy',
> inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
> ./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
> 41 | #define __underlying_memcpy __builtin_memcpy
> | ^
>
> This is because the compiler sees it is possible for "ptr" to be a NULL
> value,
It's not really possible though. I bet it's just saying that because of
the NULL check in get_recvframe_data(). Meanwhile we already have
dereferenced "precvframe" so GCC should know that the NULL check can
never be true.
> and concludes that it has zero size and attempts to copy to it
> would overflow. Instead, detect the NULL return and error out early.
>
> Cc: Larry Finger <Larry.Finger@...inger.net>
> Cc: Phillip Potter <phil@...lpotter.co.uk>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: Michael Straube <straube.linux@...il.com>
> Cc: Fabio Aiuto <fabioaiuto83@...il.com>
> Cc: linux-staging@...ts.linux.dev
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> drivers/staging/rtl8723bs/core/rtw_recv.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
> index 41bfca549c64..61135c49322b 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_recv.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
> @@ -1513,6 +1513,9 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe)
> u8 *ptr = get_recvframe_data(precvframe) ; /* point to frame_ctrl field */
> struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib;
>
> + if (!ptr)
> + return _FAIL;
> +
Can we put a comment to say /* Silence GCC false positive with -Warray-bounds */
We should have a standard comment so that we can grep for this ten years
from now an remove any outdated work arounds.
regards,
dan carpenter
Powered by blists - more mailing lists