| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250421204153.work.935-kees@kernel.org>
Date: Mon, 21 Apr 2025 13:41:57 -0700
From: Kees Cook <kees@...nel.org>
To: Miri Korenblit <miriam.rachel.korenblit@...el.com>
Cc: Kees Cook <kees@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Johannes Berg <johannes.berg@...el.com>,
Yedidya Benshimol <yedidya.ben.shimol@...el.com>,
Emmanuel Grumbach <emmanuel.grumbach@...el.com>,
Avraham Stern <avraham.stern@...el.com>,
Daniel Gabay <daniel.gabay@...el.com>,
linux-wireless@...r.kernel.org,
Nick Desaulniers <nick.desaulniers+lkml@...il.com>,
Bill Wendling <morbo@...gle.com>,
Justin Stitt <justinstitt@...gle.com>,
Anjaneyulu <pagadala.yesu.anjaneyulu@...el.com>,
linux-kernel@...r.kernel.org,
llvm@...ts.linux.dev,
linux-hardening@...r.kernel.org
Subject: [PATCH] wifi: iwlwifi: mld: Work around Clang loop unrolling bug
The nested loop in iwl_mld_send_proto_offload() confuses Clang into
thinking there could be final loop iteration past the end of the "nsc"
array (which is only 4 entries). The FORTIFY checking in memcmp()
(via ipv6_addr_cmp()) notices this (due to the available bytes in the
out-of-bounds position of &nsc[4] being 0), and errors out, failing
the build. For some reason (likely due to architectural loop unrolling
configurations), this is only exposed on ARM builds currently. Due to
Clang's lack of inline tracking[1], the warning is not very helpful:
include/linux/fortify-string.h:719:4: error: call to '__read_overflow' declared with 'error' attribute: detected read beyond size of object (1st parameter)
719 | __read_overflow();
| ^
1 error generated.
But this was tracked down to iwl_mld_send_proto_offload()'s
ipv6_addr_cmp() call.
An upstream Clang bug has been filed[2] to track this, but for now.
Fix the build by explicitly bounding the inner loop by "n_nsc", which
is what "c" is already limited to.
Reported-by: Nathan Chancellor <nathan@...nel.org>
Closes: https://github.com/ClangBuiltLinux/linux/issues/2076
Link: https://github.com/llvm/llvm-project/pull/73552 [1]
Link: https://github.com/llvm/llvm-project/issues/136603 [2]
Signed-off-by: Kees Cook <kees@...nel.org>
---
Cc: Miri Korenblit <miriam.rachel.korenblit@...el.com>
Cc: Johannes Berg <johannes.berg@...el.com>
Cc: Yedidya Benshimol <yedidya.ben.shimol@...el.com>
Cc: Emmanuel Grumbach <emmanuel.grumbach@...el.com>
Cc: Avraham Stern <avraham.stern@...el.com>
Cc: Daniel Gabay <daniel.gabay@...el.com>
Cc: <linux-wireless@...r.kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mld/d3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/d3.c b/drivers/net/wireless/intel/iwlwifi/mld/d3.c
index 2c6e8ecd93b7..1daca1ef02b2 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/d3.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/d3.c
@@ -1754,7 +1754,7 @@ iwl_mld_send_proto_offload(struct iwl_mld *mld,
addrconf_addr_solict_mult(&wowlan_data->target_ipv6_addrs[i],
&solicited_addr);
- for (j = 0; j < c; j++)
+ for (j = 0; j < c && j < n_nsc; j++)
if (ipv6_addr_cmp(&nsc[j].dest_ipv6_addr,
&solicited_addr) == 0)
break;
--
2.34.1
Powered by blists - more mailing lists