From: Kees Cook <keescook@chromium.org>
To: Arnd Bergmann <arnd@kernel.org>
Cc: Christian Lamparter <chunkeey@googlemail.com>,
Kalle Valo <kvalo@kernel.org>,
Johannes Berg <johannes.berg@intel.com>,
Arnd Bergmann <arnd@arndb.de>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] carl9170: re-fix fortified-memset warning
Date: Fri, 23 Jun 2023 16:04:13 -0700 [thread overview]
Message-ID: <202306231549.CC5FE5D69@keescook> (raw)
In-Reply-To: <20230623152443.2296825-1-arnd@kernel.org>
On Fri, Jun 23, 2023 at 05:23:59PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> The carl9170_tx_release() function sometimes triggers a fortified-memset
> warning in my randconfig builds:
>
> In file included from include/linux/string.h:254,
> from drivers/net/wireless/ath/carl9170/tx.c:40:
> In function 'fortify_memset_chk',
> inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2,
> inlined from 'kref_put' at include/linux/kref.h:65:3,
> inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9:
> include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
> 493 | __write_overflow_field(p_size_field, size);
>
> Kees previously tried to avoid this by using memset_after(), but it seems
> this does not fully address the problem. I noticed that the memset_after()
> here is done on a different part of the union (status) than the original
> cast was from (rate_driver_data), which may confuse the compiler.
>
> Unfortunately, the memset_after() trick does not work on driver_rates[]
> because that is part of an anonymous struct, and I could not get
> struct_group() to do this either. Using two separate memset() calls
> on the two members does address the warning though.
>
> Fixes: fb5f6a0e8063b ("mac80211: Use memset_after() to clear tx status")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/net/wireless/ath/carl9170/tx.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c
> index 6bb9aa2bfe654..88ef6e023f826 100644
> --- a/drivers/net/wireless/ath/carl9170/tx.c
> +++ b/drivers/net/wireless/ath/carl9170/tx.c
> @@ -280,7 +280,8 @@ static void carl9170_tx_release(struct kref *ref)
> * carl9170_tx_fill_rateinfo() has filled the rate information
> * before we get to this point.
> */
> - memset_after(&txinfo->status, 0, rates);
> + memset(&txinfo->pad, 0, sizeof(txinfo->pad));
> + memset(&txinfo->rate_driver_data, 0, sizeof(txinfo->rate_driver_data));
This is "accidentally" equivalent, which makes me nervous. It was
designed to clear everything after "rates", regardless of padding, etc.
What I don't get is why the warning is being emitted. It boils down to
an expansion of this:
memset(__ptr + offsetofend(typeof(*(obj)), member), __val,
sizeof(*(obj)) - offsetofend(typeof(*(obj)), member));
into:
memset(&txinfo->status + offsetofend(struct ieee80211_tx_info, rates),
0, sizeof(txinfo->status - offsetofend(struct ieee80211_tx_info, rates)))
Is offsetofend() broken?
--
Kees Cook
prev parent reply other threads:[~2023-06-23 23:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-23 15:23 [PATCH 1/2] carl9170: re-fix fortified-memset warning Arnd Bergmann
2023-06-23 15:24 ` [PATCH 2/2] mac80211: make ieee80211_tx_info padding explicit Arnd Bergmann
2023-06-23 23:07 ` Kees Cook
2023-06-23 15:38 ` [PATCH 1/2] carl9170: re-fix fortified-memset warning Christian Lamparter
2023-06-23 16:05 ` Arnd Bergmann
2023-06-23 17:15 ` Christian Lamparter
2023-06-26 6:51 ` Jiri Slaby
2023-06-23 23:33 ` Kees Cook
2023-06-23 23:04 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202306231549.CC5FE5D69@keescook \
--to=keescook@chromium.org \
--cc=arnd@arndb.de \
--cc=arnd@kernel.org \
--cc=chunkeey@googlemail.com \
--cc=johannes.berg@intel.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.