lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aJ33vFdOfMRDbpls@stanley.mountain>
Date: Thu, 14 Aug 2025 17:50:36 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Qianfeng Rong <rongqianfeng@...o.com>
Cc: Brian Norris <briannorris@...omium.org>,
	Francesco Dolcini <francesco@...cini.it>,
	Johannes Berg <johannes.berg@...el.com>,
	Sascha Hauer <s.hauer@...gutronix.de>,
	Kalle Valo <kvalo@...nel.org>,
	Aditya Kumar Singh <quic_adisi@...cinc.com>,
	Roopni Devanathan <quic_rdevanat@...cinc.com>,
	Rameshkumar Sundaram <quic_ramess@...cinc.com>,
	Jason Xing <kerneljasonxing@...il.com>,
	Christophe JAILLET <christophe.jaillet@...adoo.fr>,
	Thomas Gleixner <tglx@...utronix.de>,
	Jeff Chen <jeff.chen_1@....con>, Bert Karwatzki <spasswolf@....de>,
	Jinjie Ruan <ruanjinjie@...wei.com>,
	"John W. Linville" <linville@...driver.com>,
	Cathy Luo <cluo@...vell.com>, Xinmin Hu <huxm@...vell.com>,
	Avinash Patil <patila@...vell.com>, linux-wireless@...r.kernel.org,
	linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH v2] wifi: mwifiex: use kcalloc to apply for chan_stats

On Thu, Aug 14, 2025 at 09:15:31PM +0800, Qianfeng Rong wrote:
> Use kcalloc to allocate 'adapter->chan_stats' memory (max 900 bytes)
> instead of vmalloc for efficiency and zero-initialize it for security
> per Dan Carpenter's suggestion.
> 

This patch is okay, but lets re-write the commit message:

Subject: wifi: mwifiex: Initialize the chan_stats array to zero

The adapter->chan_stats[] array is initialized in
mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out
memory.  The array is filled in mwifiex_update_chan_statistics()
and then the user can query the data in mwifiex_cfg80211_dump_survey().

There are two potential issues here.  What if the user calls
mwifiex_cfg80211_dump_survey() before the data has been filled in.
Also the mwifiex_update_chan_statistics() function doesn't necessarily
initialize the whole array.  Since the array was not initialized at
the start that could result in an information leak.

Also this array is pretty small.  It's a maximum of 900 bytes so it's
more appropriate to use kcalloc() instead vmalloc().

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ