* [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array
@ 2023-06-20 8:08 Dmitry Antipov
2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dmitry Antipov @ 2023-06-20 8:08 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Kalle Valo, linux-wireless, Dmitry Antipov
In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so
add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
drivers/net/wireless/ath/ath9k/xmit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index f6f2ab7a63ff..8babaaacacf5 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -466,6 +466,8 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf,
*nframes = 0;
isaggr = bf_isaggr(bf);
+ memset(ba, 0, WME_BA_BMP_SIZE >> 3);
+
if (isaggr) {
seq_st = ts->ts_seqnum;
memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
--
2.41.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings 2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov @ 2023-06-20 8:08 ` Dmitry Antipov 2023-06-20 12:05 ` Toke Høiland-Jørgensen 2023-06-20 12:05 ` [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Toke Høiland-Jørgensen 2023-07-25 14:28 ` Kalle Valo 2 siblings, 1 reply; 5+ messages in thread From: Dmitry Antipov @ 2023-06-20 8:08 UTC (permalink / raw) To: Toke Høiland-Jørgensen Cc: Kalle Valo, linux-wireless, Dmitry Antipov, Johannes Berg When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, I've noticed the following: In function ‘fortify_memcpy_chk’, inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4, inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 529 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function ‘fortify_memcpy_chk’, inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3, inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2, inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 529 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In both cases, the compiler complains on: memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); which is the legal way to copy both 'ba_low' and following 'ba_high' members of 'struct ath_tx_status' at once (that is, issue one 8-byte 'memcpy()' for two 4-byte fields). Since the fortification logic seems interprets this trick as an attempt to overread 4-byte 'ba_low', silence relevant warnings by using the convenient 'struct_group()' quirk. Suggested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> --- v2: prefer struct_group() over offsetof() (Johannes Berg) --- drivers/net/wireless/ath/ath9k/mac.h | 6 ++++-- drivers/net/wireless/ath/ath9k/xmit.c | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/mac.h b/drivers/net/wireless/ath/ath9k/mac.h index af44b33814dd..f03d792732da 100644 --- a/drivers/net/wireless/ath/ath9k/mac.h +++ b/drivers/net/wireless/ath/ath9k/mac.h @@ -115,8 +115,10 @@ struct ath_tx_status { u8 qid; u16 desc_id; u8 tid; - u32 ba_low; - u32 ba_high; + struct_group(ba, + u32 ba_low; + u32 ba_high; + ); u32 evm0; u32 evm1; u32 evm2; diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 8babaaacacf5..4e939dcac1c9 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -470,7 +470,7 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf, if (isaggr) { seq_st = ts->ts_seqnum; - memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); + memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3); } while (bf) { @@ -553,7 +553,7 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq, if (isaggr && txok) { if (ts->ts_flags & ATH9K_TX_BA) { seq_st = ts->ts_seqnum; - memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); + memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3); } else { /* * AR5416 can become deaf/mute when BA -- 2.41.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings 2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov @ 2023-06-20 12:05 ` Toke Høiland-Jørgensen 0 siblings, 0 replies; 5+ messages in thread From: Toke Høiland-Jørgensen @ 2023-06-20 12:05 UTC (permalink / raw) To: Dmitry Antipov; +Cc: Kalle Valo, linux-wireless, Dmitry Antipov, Johannes Berg Dmitry Antipov <dmantipov@yandex.ru> writes: > When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, > I've noticed the following: > > In function ‘fortify_memcpy_chk’, > inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4, > inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: > ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ > declared with attribute warning: detected read beyond size of field (2nd parameter); > maybe use struct_group()? [-Wattribute-warning] > 529 | __read_overflow2_field(q_size_field, size); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > In function ‘fortify_memcpy_chk’, > inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3, > inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2, > inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: > ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ > declared with attribute warning: detected read beyond size of field (2nd parameter); > maybe use struct_group()? [-Wattribute-warning] > 529 | __read_overflow2_field(q_size_field, size); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > In both cases, the compiler complains on: > > memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); > > which is the legal way to copy both 'ba_low' and following 'ba_high' > members of 'struct ath_tx_status' at once (that is, issue one 8-byte > 'memcpy()' for two 4-byte fields). Since the fortification logic seems > interprets this trick as an attempt to overread 4-byte 'ba_low', silence > relevant warnings by using the convenient 'struct_group()' quirk. > > Suggested-by: Johannes Berg <johannes@sipsolutions.net> > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array 2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov 2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov @ 2023-06-20 12:05 ` Toke Høiland-Jørgensen 2023-07-25 14:28 ` Kalle Valo 2 siblings, 0 replies; 5+ messages in thread From: Toke Høiland-Jørgensen @ 2023-06-20 12:05 UTC (permalink / raw) To: Dmitry Antipov; +Cc: Kalle Valo, linux-wireless, Dmitry Antipov Dmitry Antipov <dmantipov@yandex.ru> writes: > In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so > add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'. > > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array 2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov 2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov 2023-06-20 12:05 ` [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Toke Høiland-Jørgensen @ 2023-07-25 14:28 ` Kalle Valo 2 siblings, 0 replies; 5+ messages in thread From: Kalle Valo @ 2023-07-25 14:28 UTC (permalink / raw) To: Dmitry Antipov Cc: Toke Høiland-Jørgensen, linux-wireless, Dmitry Antipov Dmitry Antipov <dmantipov@yandex.ru> wrote: > In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so > add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'. > > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> > Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> 2 patches applied to ath-next branch of ath.git, thanks. 90f2ba4896e2 wifi: ath9k: avoid using uninitialized array 810e41cebb6c wifi: ath9k: fix fortify warnings -- https://patchwork.kernel.org/project/linux-wireless/patch/20230620080855.396851-1-dmantipov@yandex.ru/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-07-25 14:29 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-06-20 8:08 [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Dmitry Antipov 2023-06-20 8:08 ` [PATCH 2/2] [v2] wifi: ath9k: fix fortify warnings Dmitry Antipov 2023-06-20 12:05 ` Toke Høiland-Jørgensen 2023-06-20 12:05 ` [PATCH 1/2] [v2] wifi: ath9k: avoid using uninitialized array Toke Høiland-Jørgensen 2023-07-25 14:28 ` Kalle Valo
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).