From: Dan Carpenter <dan.carpenter@oracle.com>
To: Lee Gibson <leegib@gmail.com>
Cc: gregkh@linuxfoundation.org, devel@driverdev.osuosl.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
Date: Fri, 26 Feb 2021 17:05:26 +0300 [thread overview]
Message-ID: <20210226140526.GG2222@kadam> (raw)
In-Reply-To: <20210226134333.GA2087@kadam>
Here is a v2 of my check. I've changed it to mark all "->ssid" and
everything in "(struct ieee80211_network)" as protected. I'm just
playing around with it at this point to explore what works best. It's
impossible to know until after some results come back.
regards,
dan carpenter
#include "smatch.h"
#include "smatch_slist.h"
#include "smatch_extra.h"
static int my_id;
static struct {
const char *type_name;
int len;
} member_list[] = {
{ "(struct ieee80211_network)->ssid", 32 },
{ "(struct rtllib_network)->ssid", 32 },
};
static void match_memset(const char *fn, struct expression *expr, void *_unused)
{
struct expression *dest, *size_arg;
struct range_list *rl;
char *member_name;
int dest_size = 0;
int i;
dest = get_argument_from_call_expr(expr->args, 0);
size_arg = get_argument_from_call_expr(expr->args, 2);
if (!dest || !size_arg)
return;
member_name = get_member_name(dest);
if (!member_name)
return;
for (i = 0; i < ARRAY_SIZE(member_list); i++) {
if (strcmp(member_name, member_list[i].type_name) == 0) {
dest_size = member_list[i].len;
goto check;
}
}
if (strstr(member_name, "->ssid"))
goto check;
if (strncmp(member_name, "(struct ieee80211_network)", 26) == 0)
goto check;
goto free;
check:
get_absolute_rl(size_arg, &rl);
if (!dest_size)
dest_size = get_array_size_bytes(dest);
if (rl_max(rl).value <= dest_size)
goto free;
if (dest_size <= 0 && is_capped(size_arg))
goto free;
sm_msg("protected struct member '%s' overflow: rl='%s'", member_name, show_rl(rl));
free:
free_string(member_name);
}
void check_protected_member(int id)
{
if (option_project != PROJ_KERNEL)
return;
my_id = id;
add_function_hook("memcpy", &match_memset, NULL);
add_function_hook("__memcpy", &match_memset, NULL);
}
next prev parent reply other threads:[~2021-02-26 14:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-26 11:48 [PATCH] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan Lee Gibson
2021-02-26 12:06 ` Greg KH
2021-02-26 12:30 ` Dan Carpenter
2021-02-26 13:43 ` Dan Carpenter
2021-02-26 14:05 ` Dan Carpenter [this message]
2021-03-01 13:25 ` Dan Carpenter
2021-03-01 15:37 ` Lee
2021-03-05 8:22 ` Dan Carpenter
2021-03-05 15:00 ` Lee
2021-03-08 7:57 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210226140526.GG2222@kadam \
--to=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=leegib@gmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.