Re: Coverity: iwl_mvm_sec_key_add(): Memory - corruptions

public inbox for linux-next@vger.kernel.org
 help / color / mirror / Atom feed

From: Johannes Berg <johannes@sipsolutions.net>
To: coverity-bot <keescook@chromium.org>
Cc: Luca Coelho <luciano.coelho@intel.com>,
	Haim Dreyfuss <haim.dreyfuss@intel.com>,
	Miri Korenblit <miriam.rachel.korenblit@intel.com>,
	Petr Stourac <pstourac@redhat.com>,
	linux-kernel@vger.kernel.org,
	Mordechay Goodstein <mordechay.goodstein@intel.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Nathan Errera <nathan.errera@intel.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Shaul Triebitz <shaul.triebitz@intel.com>,
	netdev@vger.kernel.org,
	Gregory Greenman <gregory.greenman@intel.com>,
	Abhishek Naik <abhishek.naik@intel.com>,
	Jose Ignacio Tornos Martinez <jtornosm@redhat.com>,
	Ayala Beker <ayala.beker@intel.com>,
	"David S. Miller" <davem@davemloft.net>,
	linux-wireless@vger.kernel.org,
	Sriram R <quic_srirrama@quicinc.com>,
	Kalle Valo <kvalo@kernel.org>,
	Mike Golant <michael.golant@intel.com>,
	Emmanuel Grumbach <emmanuel.grumbach@intel.com>,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	linux-next@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: Coverity: iwl_mvm_sec_key_add(): Memory - corruptions
Date: Fri, 18 Nov 2022 22:04:38 +0100	[thread overview]
Message-ID: <d4c07fa45de290f32611420e2f116d8a6e32d22a.camel@sipsolutions.net> (raw)
In-Reply-To: <202211180854.CD96D54D36@keescook>

On Fri, 2022-11-18 at 08:54 -0800, coverity-bot wrote:
> 
> *** CID 1527370:  Memory - corruptions  (OVERRUN)
> drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c:123 in iwl_mvm_sec_key_add()
> 117
> 118     	if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key)))
> 119     		return -EINVAL;
> 120
> 121     	if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
> 122     	    keyconf->cipher == WLAN_CIPHER_SUITE_WEP104)
> vvv     CID 1527370:  Memory - corruptions  (OVERRUN)
> vvv     Overrunning buffer pointed to by "cmd.u.add.key + 3" of 32 bytes by passing it to a function which accesses it at byte offset 34 using argument "keyconf->keylen" (which evaluates to 32). [Note: The source code implementation of the function has been overridden by a builtin model.]
> 123     		memcpy(cmd.u.add.key + IWL_SEC_WEP_KEY_OFFSET, keyconf->key,
> 124     		       keyconf->keylen);
> 125     	else
> 126     		memcpy(cmd.u.add.key, keyconf->key, keyconf->keylen);
> 127
> 128     	if (keyconf->cipher == WLAN_CIPHER_SUITE_TKIP) {
> 
> If this is a false positive, please let us know so we can mark it as
> such, or teach the Coverity rules to be smarter. If not, please make
> sure fixes get into linux-next. :) For patches fixing this, please
> include these lines (but double-check the "Fixes" first):
> 

Well, I don't think you can teach coverity this easily, but the
WARN_ON() check there is not really meant to protect this - WEP keys
must have a length of either 5 or 13 bytes (40 or 104 bits!).

So there's no issue here, but I'm not surprised that coverity wouldn't
be able to figure that out through the stack.

johannes

next prev parent reply	other threads:[~2022-11-18 21:05 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-18 16:54 Coverity: iwl_mvm_sec_key_add(): Memory - corruptions coverity-bot
2022-11-18 21:04 ` Johannes Berg [this message]
2022-11-18 22:25   ` Kees Cook
2022-11-22 16:46     ` Johannes Berg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d4c07fa45de290f32611420e2f116d8a6e32d22a.camel@sipsolutions.net \
    --to=johannes@sipsolutions.net \
    --cc=abhishek.naik@intel.com \
    --cc=ayala.beker@intel.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=emmanuel.grumbach@intel.com \
    --cc=gregory.greenman@intel.com \
    --cc=gustavo@embeddedor.com \
    --cc=haim.dreyfuss@intel.com \
    --cc=jtornosm@redhat.com \
    --cc=keescook@chromium.org \
    --cc=kuba@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-next@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=luciano.coelho@intel.com \
    --cc=michael.golant@intel.com \
    --cc=miriam.rachel.korenblit@intel.com \
    --cc=mordechay.goodstein@intel.com \
    --cc=nathan.errera@intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pstourac@redhat.com \
    --cc=quic_srirrama@quicinc.com \
    --cc=shaul.triebitz@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox