From: Kees Cook <keescook@chromium.org>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: Jeff Johnson <quic_jjohnson@quicinc.com>,
Michael Walle <mwalle@kernel.org>,
lkp@intel.com, oe-kbuild-all@lists.linux.dev,
linux-wireless@vger.kernel.org,
Max Schulze <max.schulze@online.de>
Subject: Re: [RFC PATCH] wifi: cfg80211: fix CQM for non-range use
Date: Thu, 30 Nov 2023 10:46:08 -0800 [thread overview]
Message-ID: <202311301045.6DA830F7@keescook> (raw)
In-Reply-To: <01e3663e9e1418a183ee86251e0352256494ee28.camel@sipsolutions.net>
On Thu, Nov 30, 2023 at 07:40:26PM +0100, Johannes Berg wrote:
> On Thu, 2023-11-30 at 10:32 -0800, Kees Cook wrote:
> > Yeah, I would expect this to mean that there is a code path that
> > GCC found where the value could overflow. It does this when a variable
> > "value range" gets bounded (e.g. an int isn't the full -INT_MAX to INT_MAX
> > range).And flex_array_size() was designed to saturate at SIZE_MIX rather
> > than wrapping around to an unexpected small value, so these are playing
> > together it seems.
> >
> > However, I would have expected the kzalloc() to blow up _first_.
>
> Hmm.
>
> > Regardless, I suspect the addition of "if (n_thresholds > 1)" is what is
> > tripping GCC.
> >
> > int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
> > ...
> > return nl80211_set_cqm_rssi(info, thresholds, len / 4,
> > hysteresis);
> >
> > Now it "knows" there is a path where n_threasholds could be [2,
> > INT_MAX].
>
> Yeah, it's not _really_ bounded, apart from the message length? But then
> struct_size() should saturate and fail? But I guess it cannot know that,
> and limits the object size to 1<<63 - 1 whereas the copy is 1<<64 - 1...
>
> > Does this warning go away if "len" is made unsigned?
>
> Thing is, neither Kalle nor I can even reproduce the warning locally, so
> it's a bit hard to check ... not even with their config and gcc 12.2.0
> (nix, rather than debian though.)
Ah! Hmm. Let me see if I can coax out the warning locally...
--
Kees Cook
next prev parent reply other threads:[~2023-11-30 18:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-28 14:44 [RFC PATCH] wifi: cfg80211: fix CQM for non-range use Michael Walle
2023-11-28 18:23 ` Johannes Berg
2023-11-28 21:01 ` Jeff Johnson
2023-11-30 18:32 ` Kees Cook
2023-11-30 18:40 ` Johannes Berg
2023-11-30 18:46 ` Kees Cook [this message]
2023-11-30 18:52 ` Johannes Berg
2023-11-30 18:52 ` Kees Cook
2023-11-30 18:54 ` Johannes Berg
2023-11-30 18:55 ` Kees Cook
2023-11-30 19:00 ` Johannes Berg
-- strict thread matches above, loose matches on Subject: below --
2023-11-06 22:17 Johannes Berg
2023-11-28 17:47 ` Michael Krause
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202311301045.6DA830F7@keescook \
--to=keescook@chromium.org \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=lkp@intel.com \
--cc=max.schulze@online.de \
--cc=mwalle@kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=quic_jjohnson@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox