| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202306231549.CC5FE5D69@keescook>
Date: Fri, 23 Jun 2023 16:04:13 -0700
From: Kees Cook <keescook@...omium.org>
To: Arnd Bergmann <arnd@...nel.org>
Cc: Christian Lamparter <chunkeey@...glemail.com>,
Kalle Valo <kvalo@...nel.org>,
Johannes Berg <johannes.berg@...el.com>,
Arnd Bergmann <arnd@...db.de>, linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] carl9170: re-fix fortified-memset warning
On Fri, Jun 23, 2023 at 05:23:59PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> The carl9170_tx_release() function sometimes triggers a fortified-memset
> warning in my randconfig builds:
>
> In file included from include/linux/string.h:254,
> from drivers/net/wireless/ath/carl9170/tx.c:40:
> In function 'fortify_memset_chk',
> inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2,
> inlined from 'kref_put' at include/linux/kref.h:65:3,
> inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9:
> include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
> 493 | __write_overflow_field(p_size_field, size);
>
> Kees previously tried to avoid this by using memset_after(), but it seems
> this does not fully address the problem. I noticed that the memset_after()
> here is done on a different part of the union (status) than the original
> cast was from (rate_driver_data), which may confuse the compiler.
>
> Unfortunately, the memset_after() trick does not work on driver_rates[]
> because that is part of an anonymous struct, and I could not get
> struct_group() to do this either. Using two separate memset() calls
> on the two members does address the warning though.
>
> Fixes: fb5f6a0e8063b ("mac80211: Use memset_after() to clear tx status")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> drivers/net/wireless/ath/carl9170/tx.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c
> index 6bb9aa2bfe654..88ef6e023f826 100644
> --- a/drivers/net/wireless/ath/carl9170/tx.c
> +++ b/drivers/net/wireless/ath/carl9170/tx.c
> @@ -280,7 +280,8 @@ static void carl9170_tx_release(struct kref *ref)
> * carl9170_tx_fill_rateinfo() has filled the rate information
> * before we get to this point.
> */
> - memset_after(&txinfo->status, 0, rates);
> + memset(&txinfo->pad, 0, sizeof(txinfo->pad));
> + memset(&txinfo->rate_driver_data, 0, sizeof(txinfo->rate_driver_data));
This is "accidentally" equivalent, which makes me nervous. It was
designed to clear everything after "rates", regardless of padding, etc.
What I don't get is why the warning is being emitted. It boils down to
an expansion of this:
memset(__ptr + offsetofend(typeof(*(obj)), member), __val,
sizeof(*(obj)) - offsetofend(typeof(*(obj)), member));
into:
memset(&txinfo->status + offsetofend(struct ieee80211_tx_info, rates),
0, sizeof(txinfo->status - offsetofend(struct ieee80211_tx_info, rates)))
Is offsetofend() broken?
--
Kees Cook
Powered by blists - more mailing lists