From: Kees Cook <keescook@chromium.org>
To: Brian Norris <briannorris@chromium.org>
Cc: Kalle Valo <kvalo@kernel.org>,
Dmitry Antipov <dmantipov@yandex.ru>,
Johannes Berg <johannes.berg@intel.com>,
zuoqilin <zuoqilin@yulong.com>,
Ruan Jinjie <ruanjinjie@huawei.com>,
Thomas Gleixner <tglx@linutronix.de>,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] wifi: mwifiex: Refactor 1-element array into flexible array in struct mwifiex_ie_types_chan_list_param_set
Date: Tue, 6 Feb 2024 10:29:46 -0800 [thread overview]
Message-ID: <202402061029.F0937444B2@keescook> (raw)
In-Reply-To: <20240206163501.work.158-kees@kernel.org>
Apologies -- this patch is incomplete. My "git add" failed me. ;) I'll
send a v2!
-Kees
On Tue, Feb 06, 2024 at 08:35:04AM -0800, Kees Cook wrote:
> struct mwifiex_ie_types_chan_list_param_set::chan_scan_param is treated
> as a flexible array, so convert it into one so that it doesn't trip the
> array bounds sanitizer[1]. The code was already calculating sizes by not
> including the trailing single element, so no sizeof() change are needed.
>
> Link: https://github.com/KSPP/linux/issues/51 [1]
> Cc: Brian Norris <briannorris@chromium.org>
> Cc: Kalle Valo <kvalo@kernel.org>
> Cc: Dmitry Antipov <dmantipov@yandex.ru>
> Cc: Johannes Berg <johannes.berg@intel.com>
> Cc: zuoqilin <zuoqilin@yulong.com>
> Cc: Ruan Jinjie <ruanjinjie@huawei.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
> Cc: linux-wireless@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> drivers/net/wireless/marvell/mwifiex/scan.c | 14 ++++++--------
> 1 file changed, 6 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
> index a2ddac363b10..0326b121747c 100644
> --- a/drivers/net/wireless/marvell/mwifiex/scan.c
> +++ b/drivers/net/wireless/marvell/mwifiex/scan.c
> @@ -664,15 +664,14 @@ mwifiex_scan_channel_list(struct mwifiex_private *priv,
>
> /* Copy the current channel TLV to the command being
> prepared */
> - memcpy(chan_tlv_out->chan_scan_param + tlv_idx,
> + memcpy(&chan_tlv_out->chan_scan_param[tlv_idx],
> tmp_chan_list,
> - sizeof(chan_tlv_out->chan_scan_param));
> + sizeof(*chan_tlv_out->chan_scan_param));
>
> /* Increment the TLV header length by the size
> appended */
> le16_unaligned_add_cpu(&chan_tlv_out->header.len,
> - sizeof(
> - chan_tlv_out->chan_scan_param));
> + sizeof(*chan_tlv_out->chan_scan_param));
>
> /*
> * The tlv buffer length is set to the number of bytes
> @@ -2369,12 +2368,11 @@ int mwifiex_cmd_802_11_bg_scan_config(struct mwifiex_private *priv,
> chan_idx < MWIFIEX_BG_SCAN_CHAN_MAX &&
> bgscan_cfg_in->chan_list[chan_idx].chan_number;
> chan_idx++) {
> - temp_chan = chan_list_tlv->chan_scan_param + chan_idx;
> + temp_chan = &chan_list_tlv->chan_scan_param[chan_idx];
>
> /* Increment the TLV header length by size appended */
> le16_unaligned_add_cpu(&chan_list_tlv->header.len,
> - sizeof(
> - chan_list_tlv->chan_scan_param));
> + sizeof(*chan_list_tlv->chan_scan_param));
>
> temp_chan->chan_number =
> bgscan_cfg_in->chan_list[chan_idx].chan_number;
> @@ -2413,7 +2411,7 @@ int mwifiex_cmd_802_11_bg_scan_config(struct mwifiex_private *priv,
> chan_scan_param);
> le16_unaligned_add_cpu(&chan_list_tlv->header.len,
> chan_num *
> - sizeof(chan_list_tlv->chan_scan_param[0]));
> + sizeof(*chan_list_tlv->chan_scan_param));
> }
>
> tlv_pos += (sizeof(chan_list_tlv->header)
> --
> 2.34.1
>
--
Kees Cook
prev parent reply other threads:[~2024-02-06 18:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-06 16:35 [PATCH] wifi: mwifiex: Refactor 1-element array into flexible array in struct mwifiex_ie_types_chan_list_param_set Kees Cook
2024-02-06 18:29 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202402061029.F0937444B2@keescook \
--to=keescook@chromium.org \
--cc=briannorris@chromium.org \
--cc=christophe.jaillet@wanadoo.fr \
--cc=dmantipov@yandex.ru \
--cc=gustavoars@kernel.org \
--cc=johannes.berg@intel.com \
--cc=kvalo@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=tglx@linutronix.de \
--cc=zuoqilin@yulong.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.