lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Jan 2022 07:41:03 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Kees Cook <keescook@...omium.org> Cc: Larry Finger <Larry.Finger@...inger.net>, Phillip Potter <phil@...lpotter.co.uk>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Michael Straube <straube.linux@...il.com>, Fabio Aiuto <fabioaiuto83@...il.com>, linux-staging@...ts.linux.dev, Hans de Goede <hdegoede@...hat.com>, Marco Cesati <marcocesati@...il.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH] staging: rtl8723bs: Check for NULL header value On Wed, Jan 12, 2022 at 04:20:01PM -0800, Kees Cook wrote: > When building with -Warray-bounds, the following warning is emitted: > > In file included from ./include/linux/string.h:253, > from ./arch/x86/include/asm/page_32.h:22, > from ./arch/x86/include/asm/page.h:14, > from ./arch/x86/include/asm/thread_info.h:12, > from ./include/linux/thread_info.h:60, > from ./arch/x86/include/asm/preempt.h:7, > from ./include/linux/preempt.h:78, > from ./include/linux/rcupdate.h:27, > from ./include/linux/rculist.h:11, > from ./include/linux/sched/signal.h:5, > from ./drivers/staging/rtl8723bs/include/drv_types.h:17, > from drivers/staging/rtl8723bs/core/rtw_recv.c:7: > In function 'memcpy', > inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2: > ./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds] > 41 | #define __underlying_memcpy __builtin_memcpy > | ^ > > This is because the compiler sees it is possible for "ptr" to be a NULL > value, It's not really possible though. I bet it's just saying that because of the NULL check in get_recvframe_data(). Meanwhile we already have dereferenced "precvframe" so GCC should know that the NULL check can never be true. > and concludes that it has zero size and attempts to copy to it > would overflow. Instead, detect the NULL return and error out early. > > Cc: Larry Finger <Larry.Finger@...inger.net> > Cc: Phillip Potter <phil@...lpotter.co.uk> > Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> > Cc: Michael Straube <straube.linux@...il.com> > Cc: Fabio Aiuto <fabioaiuto83@...il.com> > Cc: linux-staging@...ts.linux.dev > Signed-off-by: Kees Cook <keescook@...omium.org> > --- > drivers/staging/rtl8723bs/core/rtw_recv.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c > index 41bfca549c64..61135c49322b 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_recv.c > +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c > @@ -1513,6 +1513,9 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe) > u8 *ptr = get_recvframe_data(precvframe) ; /* point to frame_ctrl field */ > struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib; > > + if (!ptr) > + return _FAIL; > + Can we put a comment to say /* Silence GCC false positive with -Warray-bounds */ We should have a standard comment so that we can grep for this ten years from now an remove any outdated work arounds. regards, dan carpenter
Powered by blists - more mailing lists