From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Kalle Valo <kvalo@kernel.org>
Cc: "Ben Hutchings" <ben@decadent.org.uk>,
linux-wireless@vger.kernel.org,
"Martin-Éric Racine" <martin-eric.racine@iki.fi>,
"Brandon Nielsen" <nielsenb@jetfuse.net>
Subject: Re: [PATCH] wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd()
Date: Thu, 19 Sep 2024 10:28:09 +0200 [thread overview]
Message-ID: <20240919082809.GA13162@wp.pl> (raw)
In-Reply-To: <172666715574.3996465.3960547479597216434.kvalo@kernel.org>
On Wed, Sep 18, 2024 at 01:45:57PM +0000, Kalle Valo wrote:
> Ben Hutchings <ben@decadent.org.uk> wrote:
>
> > iwlegacy uses command buffers with a payload size of 320
> > bytes (default) or 4092 bytes (huge). The struct il_device_cmd type
> > describes the default buffers and there is no separate type describing
> > the huge buffers.
> >
> > The il_enqueue_hcmd() function works with both default and huge
> > buffers, and has a memcpy() to the buffer payload. The size of
> > this copy may exceed 320 bytes when using a huge buffer, which
> > now results in a run-time warning:
> >
> > memcpy: detected field-spanning write (size 1014) of single field "&out_cmd->cmd.payload" at drivers/net/wireless/intel/iwlegacy/common.c:3170 (size 320)
> >
> > To fix this:
> >
> > - Define a new struct type for huge buffers, with a correctly sized
> > payload field
> > - When using a huge buffer in il_enqueue_hcmd(), cast the command
> > buffer pointer to that type when looking up the payload field
> >
> > Reported-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
> > References: https://bugs.debian.org/1062421
> > References: https://bugzilla.kernel.org/show_bug.cgi?id=219124
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > Fixes: 54d9469bc515 ("fortify: Add run-time WARN for cross-field memcpy()")
> > Tested-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
> > Tested-by: Brandon Nielsen <nielsenb@jetfuse.net>
> > Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
>
> Should this patch go wireless tree for v6.12? As this is a regression I think
> it should.
It's not driver regression per se, just false positive warning when built
with CONFIG_FORTIFY_SOURCE. But it should go to 6.12 IMHO as fix for
the warning.
Regards
Stanislaw
next prev parent reply other threads:[~2024-09-19 8:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-11 23:01 [PATCH] wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Ben Hutchings
2024-09-12 8:39 ` Stanislaw Gruszka
2024-09-12 17:30 ` Brandon Nielsen
2024-09-13 6:43 ` Stanislaw Gruszka
2024-09-15 8:07 ` Martin-Éric Racine
2024-09-18 13:45 ` Kalle Valo
2024-09-19 8:28 ` Stanislaw Gruszka [this message]
2024-09-19 8:40 ` Kalle Valo
2024-09-19 8:46 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240919082809.GA13162@wp.pl \
--to=stf_xl@wp.pl \
--cc=ben@decadent.org.uk \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=martin-eric.racine@iki.fi \
--cc=nielsenb@jetfuse.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.