[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zw7nfaYZHP-HIqWQ@google.com>
Date: Tue, 15 Oct 2024 15:06:53 -0700
From: Brian Norris <briannorris@...omium.org>
To: Alper Nebi Yasak <alpernebiyasak@...il.com>
Cc: linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
Francesco Dolcini <francesco@...cini.it>,
Johannes Berg <johannes.berg@...el.com>,
Kees Cook <kees@...nel.org>, Sascha Hauer <s.hauer@...gutronix.de>,
Dmitry Antipov <dmantipov@...dex.ru>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Jeff Johnson <quic_jjohnson@...cinc.com>,
David Lin <yu-hao.lin@....com>, linux-hardening@...r.kernel.org,
Kalle Valo <kvalo@...nel.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Subject: Re: [PATCH v2 2/2] wifi: mwifiex: Annotate
mwifiex_ie_types_wildcard_ssid_params with __counted_by()
Hi Alper,
On Tue, Oct 08, 2024 at 01:20:55AM +0300, Alper Nebi Yasak wrote:
> Add the __counted_by compiler attribute to the flexible array member
> `ssid` to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
> CONFIG_FORTIFY_SOURCE.
>
> Signed-off-by: Alper Nebi Yasak <alpernebiyasak@...il.com>
> ---
> I've mimicked the commit messages from `git log -S"__counted_by("`.
> Since they refer to UBSAN I tried testing with CONFIG_KASAN (w/
> kasan_multi_shot), CONFIG_UBSAN and CONFIG_FORTIFY_SOURCE. I do not
> get any errors relating to this module with those options, but have
> others -- I even had to test on another board altogether.
It's possible you don't have a new enough compiler to enable the
improved array bounds checks? Supposedly, that's new in GCC 15 and Clang
18. But I'm not too familiar.
> This attribute was suggested in reviews, I don't fully understand it,
> but I am not sure it is correct in the context of this comment from
> scan.c (with irrelelvant parts omitted):
>
> ssid_len = user_scan_in->ssid_list[i].ssid_len;
>
> wildcard_ssid_tlv =
> (struct mwifiex_ie_types_wildcard_ssid_params *)
> tlv_pos;
>
> /*
> * max_ssid_length = 0 tells firmware to perform
> * specific scan for the SSID filled, whereas
> * max_ssid_length = IEEE80211_MAX_SSID_LEN is for
> * wildcard scan.
> */
> if (ssid_len)
> wildcard_ssid_tlv->max_ssid_length = 0;
> else
> wildcard_ssid_tlv->max_ssid_length =
> IEEE80211_MAX_SSID_LEN;
>
> memcpy(wildcard_ssid_tlv->ssid,
> user_scan_in->ssid_list[i].ssid, ssid_len);
>
> I expect we want to use __counted_by(ssid_len) instead, but do not have
> it in the struct. And max_ssid_length = 0 when ssid[] is non-empty, so
> is it really appropriate as the __counted_by()? But then again, I
> couldn't get this to produce a warning.
The correct length would be derived from header.len. But IIUC,
__counted_by neither supports nested structs, nor derived values.
But anyway, like you suspect, __counted_by(max_ssid_length) is actually
wrong.
I'd be happy to be enlighted by other experts on CC, but otherwise,
that's a "NACK" for patch 2. Thanks for looking into this though!
Regards,
Brian
> Changes in v2:
> - Add patch to annotate ssid field with __counted_by(max_ssid_length)
>
> drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
> index 4a96281792cc..e4e35ba35454 100644
> --- a/drivers/net/wireless/marvell/mwifiex/fw.h
> +++ b/drivers/net/wireless/marvell/mwifiex/fw.h
> @@ -875,7 +875,7 @@ struct mwifiex_ietypes_chanstats {
> struct mwifiex_ie_types_wildcard_ssid_params {
> struct mwifiex_ie_types_header header;
> u8 max_ssid_length;
> - u8 ssid[];
> + u8 ssid[] __counted_by(max_ssid_length);
> } __packed;
>
> #define TSF_DATA_SIZE 8
> --
> 2.45.2
>
Powered by blists - more mailing lists