| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Feb 2022 16:50:18 -0800
From: Jeff Johnson <quic_jjohnson@...cinc.com>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>,
<linux-wireless@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC: Kalle Valo <kvalo@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, <netdev@...r.kernel.org>,
<linux-hardening@...r.kernel.org>
Subject: Re: [PATCH 4/6][next] ath6kl: wmi: Replace one-element array with
flexible-array member in struct wmi_connect_event
On 2/22/2022 6:38 PM, Gustavo A. R. Silva wrote:
> Replace one-element array with flexible-array member in struct
> wmi_connect_event.
>
> It's also worth noting that due to the flexible array transformation,
> the size of struct wmi_connect_event changed (now the size is 1 byte
> smaller), and in order to preserve the logic of before the transformation,
> the following change is needed:
>
> - if (len < sizeof(struct wmi_connect_event))
> + if (len <= sizeof(struct wmi_connect_event))
>
> This issue was found with the help of Coccinelle and audited and fixed,
> manually.
>
> Link: https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays
> Link: https://github.com/KSPP/linux/issues/79
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> ---
> Hi!
>
> It'd be great if someone can confirm or comment on the following
> changes described in the changelog text:
>
> - if (len < sizeof(struct wmi_connect_event))
> + if (len <= sizeof(struct wmi_connect_event))
>
> Thanks
>
> drivers/net/wireless/ath/ath6kl/wmi.c | 2 +-
> drivers/net/wireless/ath/ath6kl/wmi.h | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
> index 049d75f31f3c..ccdccead688e 100644
> --- a/drivers/net/wireless/ath/ath6kl/wmi.c
> +++ b/drivers/net/wireless/ath/ath6kl/wmi.c
> @@ -857,7 +857,7 @@ static int ath6kl_wmi_connect_event_rx(struct wmi *wmi, u8 *datap, int len,
> struct wmi_connect_event *ev;
> u8 *pie, *peie;
>
> - if (len < sizeof(struct wmi_connect_event))
> + if (len <= sizeof(struct wmi_connect_event))
this is another case where IMO the original code can remain since all it
is really checking is to see if the entire "fixed" portion is present.
in reality if there was just one byte of assoc_info the response would
actually be invalid.
what is missing is logic that verifies len is large enough to hold the
payload that is advertised via the beacon_ie_len, assoc_req_len, &
assoc_resp_len members. without this even if you change the initial len
check you can have a condition where len says there is one u8 in
assoc_info (and pass the initial test) but the other three members
indicate that much more data is present.
but that is a pre-existing shortcoming that should be handled with a
separate patch.
> return -EINVAL;
>
> ev = (struct wmi_connect_event *) datap;
> diff --git a/drivers/net/wireless/ath/ath6kl/wmi.h b/drivers/net/wireless/ath/ath6kl/wmi.h
> index 432e4f428a4a..6b064e669d87 100644
> --- a/drivers/net/wireless/ath/ath6kl/wmi.h
> +++ b/drivers/net/wireless/ath/ath6kl/wmi.h
> @@ -1545,7 +1545,7 @@ struct wmi_connect_event {
> u8 beacon_ie_len;
> u8 assoc_req_len;
> u8 assoc_resp_len;
> - u8 assoc_info[1];
> + u8 assoc_info[];
> } __packed;
>
> /* Disconnect Event */
whether or not you modify the length check consider this:
Reviewed-by: Jeff Johnson <quic_jjohnson@...cinc.com>
Powered by blists - more mailing lists