| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202104211722.C35B177936@keescook>
Date: Wed, 21 Apr 2021 17:22:11 -0700
From: Kees Cook <keescook@...omium.org>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Johannes Berg <johannes@...solutions.net>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] wireless: wext-spy: Fix out-of-bounds warning
On Wed, Apr 21, 2021 at 06:43:37PM -0500, Gustavo A. R. Silva wrote:
> Fix the following out-of-bounds warning:
>
> net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds]
>
> The problem is that the original code is trying to copy data into a
> couple of struct members adjacent to each other in a single call to
> memcpy(). This causes a legitimate compiler warning because memcpy()
> overruns the length of &threshold.low and &spydata->spy_thr_low. As
> these are just a couple of members, fix this by copying each one of
> them in separate calls to memcpy().
>
> Also, while there, use sizeof(threshold.qual) instead of
> sizeof(struct iw_quality)) in another call to memcpy()
> above.
>
> This helps with the ongoing efforts to globally enable -Warray-bounds
> and get us closer to being able to tighten the FORTIFY_SOURCE routines
> on memcpy().
>
> Link: https://github.com/KSPP/linux/issues/109
> Reported-by: kernel test robot <lkp@...el.com>
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
Thanks!
Reviewed-by: Kees Cook <keescook@...omium.org>
-Kees
> ---
> net/wireless/wext-spy.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c
> index 33bef22e44e9..bb2de7c6bee4 100644
> --- a/net/wireless/wext-spy.c
> +++ b/net/wireless/wext-spy.c
> @@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev,
> return -EOPNOTSUPP;
>
> /* Just do it */
> - memcpy(&(spydata->spy_thr_low), &(threshold->low),
> - 2 * sizeof(struct iw_quality));
> + memcpy(&spydata->spy_thr_low, &threshold->low, sizeof(threshold->low));
> + memcpy(&spydata->spy_thr_high, &threshold->high, sizeof(threshold->high));
>
> /* Clear flag */
> memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under));
> @@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev,
> memcpy(threshold.addr.sa_data, address, ETH_ALEN);
> threshold.addr.sa_family = ARPHRD_ETHER;
> /* Copy stats */
> - memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality));
> + memcpy(&threshold.qual, wstats, sizeof(threshold.qual));
> /* Copy also thresholds */
> - memcpy(&(threshold.low), &(spydata->spy_thr_low),
> - 2 * sizeof(struct iw_quality));
> + memcpy(&threshold.low, &spydata->spy_thr_low, sizeof(threshold.low));
> + memcpy(&threshold.high, &spydata->spy_thr_high, sizeof(threshold.high));
>
> /* Send event to user space */
> wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold);
> --
> 2.27.0
>
--
Kees Cook
Powered by blists - more mailing lists