| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <db78155a-65c1-455b-aaaf-0463b17009f5@embeddedor.com>
Date: Wed, 27 Mar 2024 15:23:32 -0600
From: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To: Jeff Johnson <quic_jjohnson@...cinc.com>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>, Kalle Valo <kvalo@...nel.org>
Cc: linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] wifi: cfg80211: Use __counted_by() in struct
wmi_start_scan_cmd and avoid -Wfamnae warning
>> - memset(&cmd, 0, sizeof(cmd));
>> - cmd.cmd.scan_type = WMI_ACTIVE_SCAN;
>> - cmd.cmd.num_channels = 0;
>> + memset(cmd, 0, sizeof(*cmd));
>
> Isn't this unnecessary since DEFINE_FLEX() logic "{ .obj.COUNTER = COUNT, }"
> should result in everything else being zeroed?
>
> And if that isn't sufficient, DEFINE_FLEX() itself says we should "Use
> __struct_size(@NAME) to get compile-time size of it afterwards"
>
> Note the current memset won't zero the flex array and hence if the actual
> number of channels is less than 4 then kernel stack contents could be exposed
> to firmware.
Yes, that's correct. The current memset() will only zero out a total of
sizeof(struct wmi_start_scan_cmd) bytes, which of course doesn't include
the flex-array member.
Thanks for the review, I'll remove that line!
--
Gustavo
Powered by blists - more mailing lists