From: Kees Cook <keescook@chromium.org>
To: Hawkins Jiawei <yin31149@gmail.com>
Cc: 18801353760@163.com, davem@davemloft.net, edumazet@google.com,
johannes@sipsolutions.net, kuba@kernel.org,
linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com, sfr@canb.auug.org.au,
syzbot+473754e5af963cf014cf@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] Add linux-next specific files for 20220923
Date: Sat, 24 Sep 2022 09:26:01 -0700 [thread overview]
Message-ID: <202209240905.F5654D7A5@keescook> (raw)
In-Reply-To: <20220924155514.32408-1-yin31149@gmail.com>
On Sat, Sep 24, 2022 at 11:55:14PM +0800, Hawkins Jiawei wrote:
> > And as for the value of offsetof in calculating **offset**,
> > I wonder if we can use the macro defined in
> > include/linux/wireless.h as below, which makes code simplier:
> > #define IW_EV_COMPAT_LCP_LEN offsetof(struct __compat_iw_event, pointer)
Ah yes, that would be good.
> According to above code, it seems that kernel will saves enough memory
> (hdr_len + extra_len bytes) for payload structure in
> nla_reserve()(Please correct me if I am wrong), pointed by compat_event.
> So I wonder if we can use unsafe_memcpy(), to avoid unnecessary
> memcpy() check as below, which seems more simple:
I'd rather this was properly resolved with the creation of a real
flexible array so that when bounds tracking gets improved in the future,
the compiler can reason about it better. And, I think, it makes the code
more readable:
diff --git a/include/linux/wireless.h b/include/linux/wireless.h
index 2d1b54556eff..e0b4b46da63f 100644
--- a/include/linux/wireless.h
+++ b/include/linux/wireless.h
@@ -26,7 +26,10 @@ struct compat_iw_point {
struct __compat_iw_event {
__u16 len; /* Real length of this stuff */
__u16 cmd; /* Wireless IOCTL */
- compat_caddr_t pointer;
+ union {
+ compat_caddr_t pointer;
+ DECLARE_FLEX_ARRAY(__u8, ptr_bytes);
+ };
};
#define IW_EV_COMPAT_LCP_LEN offsetof(struct __compat_iw_event, pointer)
#define IW_EV_COMPAT_POINT_OFF offsetof(struct compat_iw_point, length)
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 76a80a41615b..6079c8f4b634 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -468,6 +468,7 @@ void wireless_send_event(struct net_device * dev,
struct __compat_iw_event *compat_event;
struct compat_iw_point compat_wrqu;
struct sk_buff *compskb;
+ int ptr_len;
#endif
/*
@@ -582,6 +583,7 @@ void wireless_send_event(struct net_device * dev,
nlmsg_end(skb, nlh);
#ifdef CONFIG_COMPAT
hdr_len = compat_event_type_size[descr->header_type];
+ ptr_len = hdr_len - IW_EV_COMPAT_LCP_LEN;
event_len = hdr_len + extra_len;
compskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
@@ -612,16 +614,15 @@ void wireless_send_event(struct net_device * dev,
if (descr->header_type == IW_HEADER_TYPE_POINT) {
compat_wrqu.length = wrqu->data.length;
compat_wrqu.flags = wrqu->data.flags;
- memcpy(&compat_event->pointer,
+ memcpy(compat_event->ptr_bytes,
((char *) &compat_wrqu) + IW_EV_COMPAT_POINT_OFF,
- hdr_len - IW_EV_COMPAT_LCP_LEN);
+ ptr_len);
if (extra_len)
- memcpy(((char *) compat_event) + hdr_len,
+ memcpy(compat_event->ptr_bytes + ptr_len,
extra, extra_len);
} else {
/* extra_len must be zero, so no if (extra) needed */
- memcpy(&compat_event->pointer, wrqu,
- hdr_len - IW_EV_COMPAT_LCP_LEN);
+ memcpy(compat_event->ptr_bytes, wrqu, ptr_len);
}
nlmsg_end(compskb, nlh);
--
Kees Cook
next prev parent reply other threads:[~2022-09-24 16:26 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-23 16:05 [syzbot] WARNING in wireless_send_event syzbot
2022-09-24 7:10 ` [PATCH] Add linux-next specific files for 20220923 Hawkins Jiawei
2022-09-24 7:26 ` Kees Cook
2022-09-24 11:44 ` Hawkins Jiawei
2022-09-24 15:55 ` Hawkins Jiawei
2022-09-24 15:55 ` syzbot
2022-09-24 16:13 ` Hawkins Jiawei
2022-09-24 16:33 ` [syzbot] WARNING in wireless_send_event syzbot
2022-09-24 16:26 ` Kees Cook [this message]
2022-09-25 6:25 ` [PATCH] Add linux-next specific files for 20220923 Hawkins Jiawei
2022-09-24 7:32 ` [syzbot] WARNING in wireless_send_event syzbot
2022-09-26 11:59 ` Hawkins Jiawei
2022-09-26 12:24 ` syzbot
2022-09-26 15:09 ` [PATCH] wext: use flex array destination for memcpy() Hawkins Jiawei
2022-09-26 16:14 ` Eric Dumazet
2022-09-26 23:17 ` Hawkins Jiawei
2022-09-26 17:43 ` Kees Cook
2022-09-26 23:34 ` [PATCH wireless-next v2] " Hawkins Jiawei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202209240905.F5654D7A5@keescook \
--to=keescook@chromium.org \
--cc=18801353760@163.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=johannes@sipsolutions.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sfr@canb.auug.org.au \
--cc=syzbot+473754e5af963cf014cf@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yin31149@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.