| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1b2af606-ade7-4550-b1ba-a78202b257e5@quicinc.com>
Date: Tue, 17 Sep 2024 11:10:08 -0700
From: Jeff Johnson <quic_jjohnson@...cinc.com>
To: Alper Nebi Yasak <alpernebiyasak@...il.com>,
<linux-wireless@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC: David Lin <yu-hao.lin@....com>, Dmitry Antipov <dmantipov@...dex.ru>,
Brian Norris <briannorris@...omium.org>, Kalle Valo <kvalo@...nel.org>,
Francesco Dolcini <francesco@...cini.it>,
Sascha Hauer
<s.hauer@...gutronix.de>, Kees Cook <kees@...nel.org>,
"Gustavo A . R .
Silva" <gustavoars@...nel.org>,
Andy Shevchenko
<andriy.shevchenko@...ux.intel.com>,
Johannes Berg <johannes.berg@...el.com>
Subject: Re: [PATCH] wifi: mwifiex: Fix memcpy() field-spanning write warning
in mwifiex_config_scan()
On 9/17/2024 8:08 AM, Alper Nebi Yasak wrote:
> Replace one-element array with a flexible-array member in `struct
> mwifiex_ie_types_wildcard_ssid_params` to fix the following warning
> on a MT8173 Chromebook (mt8173-elm-hana):
>
> [ 356.775250] ------------[ cut here ]------------
> [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)
> [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]
>
> The "(size 6)" above is exactly the length of the SSID of the network
> this device was connected to. The source of the warning looks like:
>
> ssid_len = user_scan_in->ssid_list[i].ssid_len;
> [...]
> memcpy(wildcard_ssid_tlv->ssid,
> user_scan_in->ssid_list[i].ssid, ssid_len);
>
> Also adjust a #define that uses sizeof() on this struct to keep the
> value same as before.
>
> Signed-off-by: Alper Nebi Yasak <alpernebiyasak@...il.com>
> ---
> I found these relevant patches that modify other such arrays, where the
> second one removes a -1 from some sizeof() calculation:
>
> https://lore.kernel.org/lkml/Y9xkECG3uTZ6T1dN@work/T/#u
> https://lore.kernel.org/lkml/ZsZa5xRcsLq9D+RX@elsanto/T/#u
>
> So I think we need the +1 to keep things same. But it appears to work
> fine without it, so I'm not sure. Maybe it should've had a -1 before
> that I would remove with this?
I think the original code was incorrect and was allocating too much memory.
I do not think WILDCARD_SSID_TLV_MAX_SIZE requires modification.
>
> drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
> drivers/net/wireless/marvell/mwifiex/scan.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
> index d03129d5d24e..4a96281792cc 100644
> --- a/drivers/net/wireless/marvell/mwifiex/fw.h
> +++ b/drivers/net/wireless/marvell/mwifiex/fw.h
> @@ -875,7 +875,7 @@ struct mwifiex_ietypes_chanstats {
> struct mwifiex_ie_types_wildcard_ssid_params {
> struct mwifiex_ie_types_header header;
> u8 max_ssid_length;
> - u8 ssid[1];
> + u8 ssid[];
> } __packed;
>
> #define TSF_DATA_SIZE 8
> diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
> index cab889af4c4a..50af78ee935b 100644
> --- a/drivers/net/wireless/marvell/mwifiex/scan.c
> +++ b/drivers/net/wireless/marvell/mwifiex/scan.c
> @@ -32,7 +32,7 @@
> #define WILDCARD_SSID_TLV_MAX_SIZE \
> (MWIFIEX_MAX_SSID_LIST_LENGTH * \
> (sizeof(struct mwifiex_ie_types_wildcard_ssid_params) \
> - + IEEE80211_MAX_SSID_LEN))
> + + IEEE80211_MAX_SSID_LEN + 1))
>
> /* Maximum memory needed for a mwifiex_scan_cmd_config with all TLVs at max */
> #define MAX_SCAN_CFG_ALLOC (sizeof(struct mwifiex_scan_cmd_config) \
>
> base-commit: 4f3e012d4cfd1d9bf837870c961f462ca9f23ebe
Powered by blists - more mailing lists