* [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array
@ 2023-06-20 8:08 Dmitry Antipov
2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dmitry Antipov @ 2023-06-20 8:08 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Kalle Valo, linux-wireless, Dmitry Antipov
In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so
add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
drivers/net/wireless/ath/ath9k/xmit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index f6f2ab7a63ff..8babaaacacf5 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -466,6 +466,8 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf,
*nframes = 0;
isaggr = bf_isaggr(bf);
+ memset(ba, 0, WME_BA_BMP_SIZE >> 3);
+
if (isaggr) {
seq_st = ts->ts_seqnum;
memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings
2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov
@ 2023-06-20 8:08 ` Dmitry Antipov
2023-06-20 12:05 ` Toke Høiland-Jørgensen
2023-06-20 12:05 ` [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Toke Høiland-Jørgensen
2023-07-25 14:28 ` Kalle Valo
2 siblings, 1 reply; 5+ messages in thread
From: Dmitry Antipov @ 2023-06-20 8:08 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Kalle Valo, linux-wireless, Dmitry Antipov, Johannes Berg
When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y,
I've noticed the following:
In function ‘fortify_memcpy_chk’,
inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4,
inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
declared with attribute warning: detected read beyond size of field (2nd parameter);
maybe use struct_group()? [-Wattribute-warning]
529 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘fortify_memcpy_chk’,
inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3,
inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2,
inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
declared with attribute warning: detected read beyond size of field (2nd parameter);
maybe use struct_group()? [-Wattribute-warning]
529 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In both cases, the compiler complains on:
memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
which is the legal way to copy both 'ba_low' and following 'ba_high'
members of 'struct ath_tx_status' at once (that is, issue one 8-byte
'memcpy()' for two 4-byte fields). Since the fortification logic seems
interprets this trick as an attempt to overread 4-byte 'ba_low', silence
relevant warnings by using the convenient 'struct_group()' quirk.
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
v2: prefer struct_group() over offsetof() (Johannes Berg)
---
drivers/net/wireless/ath/ath9k/mac.h | 6 ++++--
drivers/net/wireless/ath/ath9k/xmit.c | 4 ++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/mac.h b/drivers/net/wireless/ath/ath9k/mac.h
index af44b33814dd..f03d792732da 100644
--- a/drivers/net/wireless/ath/ath9k/mac.h
+++ b/drivers/net/wireless/ath/ath9k/mac.h
@@ -115,8 +115,10 @@ struct ath_tx_status {
u8 qid;
u16 desc_id;
u8 tid;
- u32 ba_low;
- u32 ba_high;
+ struct_group(ba,
+ u32 ba_low;
+ u32 ba_high;
+ );
u32 evm0;
u32 evm1;
u32 evm2;
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 8babaaacacf5..4e939dcac1c9 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -470,7 +470,7 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf,
if (isaggr) {
seq_st = ts->ts_seqnum;
- memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
+ memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3);
}
while (bf) {
@@ -553,7 +553,7 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
if (isaggr && txok) {
if (ts->ts_flags & ATH9K_TX_BA) {
seq_st = ts->ts_seqnum;
- memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
+ memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3);
} else {
/*
* AR5416 can become deaf/mute when BA
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array
2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov
2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov
@ 2023-06-20 12:05 ` Toke Høiland-Jørgensen
2023-07-25 14:28 ` Kalle Valo
2 siblings, 0 replies; 5+ messages in thread
From: Toke Høiland-Jørgensen @ 2023-06-20 12:05 UTC (permalink / raw)
To: Dmitry Antipov; +Cc: Kalle Valo, linux-wireless, Dmitry Antipov
Dmitry Antipov <dmantipov@yandex.ru> writes:
> In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so
> add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'.
>
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings
2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov
@ 2023-06-20 12:05 ` Toke Høiland-Jørgensen
0 siblings, 0 replies; 5+ messages in thread
From: Toke Høiland-Jørgensen @ 2023-06-20 12:05 UTC (permalink / raw)
To: Dmitry Antipov; +Cc: Kalle Valo, linux-wireless, Dmitry Antipov, Johannes Berg
Dmitry Antipov <dmantipov@yandex.ru> writes:
> When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y,
> I've noticed the following:
>
> In function ‘fortify_memcpy_chk’,
> inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4,
> inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
> ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
> declared with attribute warning: detected read beyond size of field (2nd parameter);
> maybe use struct_group()? [-Wattribute-warning]
> 529 | __read_overflow2_field(q_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> In function ‘fortify_memcpy_chk’,
> inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3,
> inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2,
> inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
> ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
> declared with attribute warning: detected read beyond size of field (2nd parameter);
> maybe use struct_group()? [-Wattribute-warning]
> 529 | __read_overflow2_field(q_size_field, size);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> In both cases, the compiler complains on:
>
> memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
>
> which is the legal way to copy both 'ba_low' and following 'ba_high'
> members of 'struct ath_tx_status' at once (that is, issue one 8-byte
> 'memcpy()' for two 4-byte fields). Since the fortification logic seems
> interprets this trick as an attempt to overread 4-byte 'ba_low', silence
> relevant warnings by using the convenient 'struct_group()' quirk.
>
> Suggested-by: Johannes Berg <johannes@sipsolutions.net>
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array
2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov
2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov
2023-06-20 12:05 ` [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Toke Høiland-Jørgensen
@ 2023-07-25 14:28 ` Kalle Valo
2 siblings, 0 replies; 5+ messages in thread
From: Kalle Valo @ 2023-07-25 14:28 UTC (permalink / raw)
To: Dmitry Antipov
Cc: Toke Høiland-Jørgensen, linux-wireless, Dmitry Antipov
Dmitry Antipov <dmantipov@yandex.ru> wrote:
> In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so
> add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'.
>
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
2 patches applied to ath-next branch of ath.git, thanks.
90f2ba4896e2 wifi: ath9k: avoid using uninitialized array
810e41cebb6c wifi: ath9k: fix fortify warnings
--
https://patchwork.kernel.org/project/linux-wireless/patch/20230620080855.396851-1-dmantipov@yandex.ru/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-07-25 14:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov
2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov
2023-06-20 12:05 ` Toke Høiland-Jørgensen
2023-06-20 12:05 ` [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Toke Høiland-Jørgensen
2023-07-25 14:28 ` Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).