From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Brandon Nielsen <nielsenb@jetfuse.net>
Cc: "Ben Hutchings" <ben@decadent.org.uk>,
linux-wireless@vger.kernel.org,
"Martin-Éric Racine" <martin-eric.racine@iki.fi>
Subject: Re: [PATCH] wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd()
Date: Fri, 13 Sep 2024 08:43:59 +0200 [thread overview]
Message-ID: <20240913064359.GA147350@wp.pl> (raw)
In-Reply-To: <576a9e32-e1cf-478f-999a-7ef3849d714e@jetfuse.net>
On Thu, Sep 12, 2024 at 12:30:42PM -0500, Brandon Nielsen wrote:
> On 9/12/24 3:39 AM, Stanislaw Gruszka wrote:
> > On Thu, Sep 12, 2024 at 01:01:21AM +0200, Ben Hutchings wrote:
> > > iwlegacy uses command buffers with a payload size of 320
> > > bytes (default) or 4092 bytes (huge). The struct il_device_cmd type
> > > describes the default buffers and there is no separate type describing
> > > the huge buffers.
> > >
> > > The il_enqueue_hcmd() function works with both default and huge
> > > buffers, and has a memcpy() to the buffer payload. The size of
> > > this copy may exceed 320 bytes when using a huge buffer, which
> > > now results in a run-time warning:
> > >
> > > memcpy: detected field-spanning write (size 1014) of single field "&out_cmd->cmd.payload" at drivers/net/wireless/intel/iwlegacy/common.c:3170 (size 320)
> > >
> > > To fix this:
> > >
> > > - Define a new struct type for huge buffers, with a correctly sized
> > > payload field
> > > - When using a huge buffer in il_enqueue_hcmd(), cast the command
> > > buffer pointer to that type when looking up the payload field
> > >
> > > Reported-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
> > > References: https://bugs.debian.org/1062421
> > > References: https://bugzilla.kernel.org/show_bug.cgi?id=219124
> > > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > > Fixes: 54d9469bc515 ("fortify: Add run-time WARN for cross-field memcpy()")
> > > Tested-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
> > > Tested-by: Brandon Nielsen <nielsenb@jetfuse.net>
> >
> > I proposed diffrent fix for this here:
> > https://lore.kernel.org/linux-wireless/20240520073210.GA693073@wp.pl/
> > but never get feedback if it works on real HW.
> > So I prefer this one, sice it was tested.
> >
> > Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
> >
> > Martin-Éric and Brandon, could you plase also test patch from
> > https://lore.kernel.org/linux-wireless/Zr2gxERA3RL3EwRe@elsanto/
> > if it does not break the driver?
> >
>
> As far as I can tell nothing breaks with that additional patch applied.
Great, thanks for testing the patch.
Stanislaw
next prev parent reply other threads:[~2024-09-13 6:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-11 23:01 [PATCH] wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Ben Hutchings
2024-09-12 8:39 ` Stanislaw Gruszka
2024-09-12 17:30 ` Brandon Nielsen
2024-09-13 6:43 ` Stanislaw Gruszka [this message]
2024-09-15 8:07 ` Martin-Éric Racine
2024-09-18 13:45 ` Kalle Valo
2024-09-19 8:28 ` Stanislaw Gruszka
2024-09-19 8:40 ` Kalle Valo
2024-09-19 8:46 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240913064359.GA147350@wp.pl \
--to=stf_xl@wp.pl \
--cc=ben@decadent.org.uk \
--cc=linux-wireless@vger.kernel.org \
--cc=martin-eric.racine@iki.fi \
--cc=nielsenb@jetfuse.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.