From: Kalle Valo <kvalo@codeaurora.org>
To: Kees Cook <keescook@chromium.org>
Cc: netdev@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Stanislav Yakovlev <stas.yakovlev@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-wireless@vger.kernel.org,
Saeed Mahameed <saeedm@nvidia.com>,
Leon Romanovsky <leon@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Jesper Dangaard Brouer <hawk@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, KP Singh <kpsingh@kernel.org>,
linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
bpf@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 1/3] ipw2x00: Avoid field-overflowing memcpy()
Date: Sat, 21 Aug 2021 17:15:54 +0000 (UTC) [thread overview]
Message-ID: <20210821171554.398BEC43619@smtp.codeaurora.org> (raw)
In-Reply-To: <20210819202825.3545692-2-keescook@chromium.org>
Kees Cook <keescook@chromium.org> wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields.
>
> libipw_read_qos_param_element() copies a struct libipw_info_element
> into a struct libipw_qos_information_element, but is actually wanting to
> copy into the larger struct libipw_qos_parameter_info (the contents of
> ac_params_record[] is later examined). Refactor the routine to perform
> centralized checks, and copy the entire contents directly (since the id
> and len members match the elementID and length members):
>
> struct libipw_info_element {
> u8 id;
> u8 len;
> u8 data[];
> } __packed;
>
> struct libipw_qos_information_element {
> u8 elementID;
> u8 length;
> u8 qui[QOS_OUI_LEN];
> u8 qui_type;
> u8 qui_subtype;
> u8 version;
> u8 ac_info;
> } __packed;
>
> struct libipw_qos_parameter_info {
> struct libipw_qos_information_element info_element;
> u8 reserved;
> struct libipw_qos_ac_parameter ac_params_record[QOS_QUEUE_NUM];
> } __packed;
>
> Cc: Stanislav Yakovlev <stas.yakovlev@gmail.com>
> Cc: Kalle Valo <kvalo@codeaurora.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: linux-wireless@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
2 patches applied to wireless-drivers-next.git, thanks.
d6b6d1bb80be ipw2x00: Avoid field-overflowing memcpy()
92276c592a6b ray_cs: Split memcpy() to avoid bounds check warning
--
https://patchwork.kernel.org/project/linux-wireless/patch/20210819202825.3545692-2-keescook@chromium.org/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2021-08-21 17:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-19 20:28 [PATCH 0/3] net: Cleanups for FORTIFY_SOURCE Kees Cook
2021-08-19 20:28 ` [PATCH 1/3] ipw2x00: Avoid field-overflowing memcpy() Kees Cook
2021-08-21 17:15 ` Kalle Valo [this message]
2021-08-19 20:28 ` [PATCH 2/3] net/mlx5e: " Kees Cook
2021-08-19 20:28 ` [PATCH 3/3] pcmcia: ray_cs: Split memcpy() to avoid bounds check warning Kees Cook
2021-08-20 17:01 ` [PATCH 0/3] net: Cleanups for FORTIFY_SOURCE Jakub Kicinski
2021-08-21 10:11 ` Kalle Valo
2021-08-21 10:13 ` Kalle Valo
2021-08-22 5:16 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210821171554.398BEC43619@smtp.codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=keescook@chromium.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=saeedm@nvidia.com \
--cc=songliubraving@fb.com \
--cc=stas.yakovlev@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.