lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <26b15f4702cef17fe70b496a62f03735874bd16a.camel@sipsolutions.net>
Date:   Tue, 24 Oct 2023 22:11:38 +0200
From:   Johannes Berg <johannes@...solutions.net>
To:     "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
        Kalle Valo <kvalo@...nel.org>,
        Jeff Johnson <quic_jjohnson@...cinc.com>
Cc:     ath10k@...ts.infradead.org, linux-wireless@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        linux-hardening@...r.kernel.org
Subject: Re: [RFC - is this a bug?] wifi: ath10k: Asking for some light on
 this, please :)

On Tue, 2023-10-24 at 13:50 -0600, Gustavo A. R. Silva wrote:
> Hi all,
> 
> While working on tranforming one-element array `peer_chan_list` in
> `struct wmi_tdls_peer_capabilities` into a flex-array member
> 
> 7187 struct wmi_tdls_peer_capabilities {
> ...
> 7199         struct wmi_channel peer_chan_list[1];
> 7200 } __packed;
> 
> the following line caught my attention:
> 
> ./drivers/net/wireless/ath/ath10k/wmi.c:
> 8920         memset(skb->data, 0, sizeof(*cmd));
> 
> Notice that before the flex-array transformation, we are zeroing 128
> bytes in `skb->data` because `sizeof(*cmd) == 128`, see below:


> So, my question is: do we really need to zero out those extra 24 bytes in
> `skb->data`? or is it rather a bug in the original code?
> 

If we look a step further, I _think_ even that memset is unnecessary?


struct sk_buff *ath10k_wmi_alloc_skb(struct ath10k *ar, u32 len)
{
        struct sk_buff *skb;
        u32 round_len = roundup(len, 4);

        skb = ath10k_htc_alloc_skb(ar, WMI_SKB_HEADROOM + round_len);
        if (!skb)
                return NULL;

        skb_reserve(skb, WMI_SKB_HEADROOM);
        if (!IS_ALIGNED((unsigned long)skb->data, 4))
                ath10k_warn(ar, "Unaligned WMI skb\n");

        skb_put(skb, round_len);
        memset(skb->data, 0, round_len);

        return skb;
}


So shouldn't the outgoing skb be exactly the same?

Anyway, just looking at the code out of curiosity, I don't actually know
anything about this driver :)

johannes

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ