[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZsZNgfnEwOcPdCly@black.fi.intel.com>
Date: Wed, 21 Aug 2024 23:26:41 +0300
From: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Amitkumar Karwar <amitkarwar@...il.com>,
Ganapathi Bhat <ganapathi017@...il.com>,
Sharvari Harisangam <sharvari.harisangam@....com>,
Xinming Hu <huxinming820@...il.com>, Kalle Valo <kvalo@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] wifi: mwifiex: Replace one-element arrays with
flexible-array members
On Thu, Feb 02, 2023 at 07:32:00PM -0600, Gustavo A. R. Silva wrote:
> One-element arrays are deprecated, and we are replacing them with flexible
> array members instead. So, replace one-element arrays with flexible-array
> members in multiple structures.
>
> This helps with the ongoing efforts to tighten the FORTIFY_SOURCE
> routines on memcpy() and help us make progress towards globally
> enabling -fstrict-flex-arrays=3 [1].
>
> This results in no differences in binary output.
Sorry for blast from the past, but I have a question here.
This change seems converts many of the flexible arrays in this driver.
But what's behind this one?
struct host_cmd_ds_802_11_scan_ext {
u32 reserved;
u8 tlv_buffer[1];
} __packed;
AFAIU this needs also some care. On the real machine I have got this
elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------
elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)
elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
which leads to
memcpy(ext_scan->tlv_buffer, scan_cfg->tlv_buf, scan_cfg->tlv_buf_len);
but the code allocates 2k or more for the command buffer, so this seems
quite enough for 243 bytes.
--
With Best Regards,
Andy Shevchenko
Powered by blists - more mailing lists