From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Fabio Aiuto <fabioaiuto83@gmail.com>,
Hans de Goede <hdegoede@redhat.com>,
linux-staging@lists.linux.dev, Sasha Levin <sashal@kernel.org>,
straube.linux@gmail.com, arnd@arndb.de
Subject: [PATCH AUTOSEL 5.17 03/20] staging: rtl8723bs: Allocate full pwep structure
Date: Tue, 21 Jun 2022 16:49:53 -0400 [thread overview]
Message-ID: <20220621205010.250185-3-sashal@kernel.org> (raw)
In-Reply-To: <20220621205010.250185-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 67ea0a2adbf667cd6da4965fbcfd0da741035084 ]
The pwep allocation was always being allocated smaller than the true
structure size. Avoid this by always allocating the full structure.
Found with GCC 12 and -Warray-bounds:
../drivers/staging/rtl8723bs/os_dep/ioctl_linux.c: In function 'rtw_set_encryption':
../drivers/staging/rtl8723bs/os_dep/ioctl_linux.c:591:29: warning: array subscript 'struct ndis_802_11_wep[0]' is partly outside array bounds of 'void[25]' [-Warray-bounds]
591 | pwep->length = wep_total_len;
| ^~
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Fabio Aiuto <fabioaiuto83@gmail.com>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220608215512.1070847-1-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index ece97e37ac91..30374a820496 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -90,7 +90,8 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param,
if (wep_key_len > 0) {
wep_key_len = wep_key_len <= 5 ? 5 : 13;
wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material);
- pwep = kzalloc(wep_total_len, GFP_KERNEL);
+ /* Allocate a full structure to avoid potentially running off the end. */
+ pwep = kzalloc(sizeof(*pwep), GFP_KERNEL);
if (!pwep) {
ret = -ENOMEM;
goto exit;
@@ -582,7 +583,8 @@ static int rtw_set_encryption(struct net_device *dev, struct ieee_param *param,
if (wep_key_len > 0) {
wep_key_len = wep_key_len <= 5 ? 5 : 13;
wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material);
- pwep = kzalloc(wep_total_len, GFP_KERNEL);
+ /* Allocate a full structure to avoid potentially running off the end. */
+ pwep = kzalloc(sizeof(*pwep), GFP_KERNEL);
if (!pwep)
goto exit;
--
2.35.1
next prev parent reply other threads:[~2022-06-21 20:50 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 20:49 [PATCH AUTOSEL 5.17 01/20] genirq: PM: Use runtime PM for chained interrupts Sasha Levin
2022-06-21 20:49 ` [PATCH AUTOSEL 5.17 02/20] irqchip/uniphier-aidet: Add compatible string for NX1 SoC Sasha Levin
2022-06-21 20:49 ` Sasha Levin
2022-06-21 20:49 ` Sasha Levin [this message]
2022-06-21 20:49 ` [PATCH AUTOSEL 5.17 04/20] mei: me: set internal pg flag to off on hardware reset Sasha Levin
2022-06-21 20:49 ` [PATCH AUTOSEL 5.17 05/20] eeprom: at25: Split reads into chunks and cap write size Sasha Levin
2022-06-22 7:14 ` Geert Uytterhoeven
2022-06-21 20:49 ` [PATCH AUTOSEL 5.17 06/20] nvme-pci: add trouble shooting steps for timeouts Sasha Levin
2022-06-21 20:49 ` [PATCH AUTOSEL 5.17 07/20] nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG GAMMIX S50 Sasha Levin
2022-06-21 20:49 ` [PATCH AUTOSEL 5.17 08/20] nvme-pci: phison e12 has bogus namespace ids Sasha Levin
2022-06-21 20:49 ` [PATCH AUTOSEL 5.17 09/20] nvme-pci: smi " Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 10/20] nvme-pci: sk hynix p31 " Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 11/20] nvme-pci: avoid the deepest sleep state on ZHITAI TiPro7000 SSDs Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 12/20] nvme-pci: disable write zeros support on UMIC and Samsung SSDs Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 13/20] ext2: fix fs corruption when trying to remove a non-empty directory with IO error Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 14/20] ext4: fix warning when submitting superblock in ext4_commit_super() Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 15/20] ext4: improve write performance with disabled delalloc Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 16/20] blk-mq: protect q->elevator by ->sysfs_lock in blk_mq_elv_switch_none Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 17/20] blk-mq: avoid to touch q->elevator without any protection Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 18/20] blk-mq: don't clear flush_rq from tags->rqs[] Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 19/20] cifs: when a channel is not found for server, log its connection id Sasha Levin
2022-06-21 20:50 ` [PATCH AUTOSEL 5.17 20/20] ext4: correct the judgment of BUG in ext4_mb_normalize_request Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220621205010.250185-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=arnd@arndb.de \
--cc=fabioaiuto83@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=straube.linux@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.