From: Brian Norris <briannorris@chromium.org>
To: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Francesco Dolcini <francesco@dolcini.it>,
Johannes Berg <johannes.berg@intel.com>,
Kees Cook <kees@kernel.org>,
Sascha Hauer <s.hauer@pengutronix.de>,
Dmitry Antipov <dmantipov@yandex.ru>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Jeff Johnson <quic_jjohnson@quicinc.com>,
David Lin <yu-hao.lin@nxp.com>,
linux-hardening@vger.kernel.org, Kalle Valo <kvalo@kernel.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Subject: Re: [PATCH v2 2/2] wifi: mwifiex: Annotate mwifiex_ie_types_wildcard_ssid_params with __counted_by()
Date: Tue, 15 Oct 2024 15:06:53 -0700 [thread overview]
Message-ID: <Zw7nfaYZHP-HIqWQ@google.com> (raw)
In-Reply-To: <20241007222301.24154-2-alpernebiyasak@gmail.com>
Hi Alper,
On Tue, Oct 08, 2024 at 01:20:55AM +0300, Alper Nebi Yasak wrote:
> Add the __counted_by compiler attribute to the flexible array member
> `ssid` to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
> CONFIG_FORTIFY_SOURCE.
>
> Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
> ---
> I've mimicked the commit messages from `git log -S"__counted_by("`.
> Since they refer to UBSAN I tried testing with CONFIG_KASAN (w/
> kasan_multi_shot), CONFIG_UBSAN and CONFIG_FORTIFY_SOURCE. I do not
> get any errors relating to this module with those options, but have
> others -- I even had to test on another board altogether.
It's possible you don't have a new enough compiler to enable the
improved array bounds checks? Supposedly, that's new in GCC 15 and Clang
18. But I'm not too familiar.
> This attribute was suggested in reviews, I don't fully understand it,
> but I am not sure it is correct in the context of this comment from
> scan.c (with irrelelvant parts omitted):
>
> ssid_len = user_scan_in->ssid_list[i].ssid_len;
>
> wildcard_ssid_tlv =
> (struct mwifiex_ie_types_wildcard_ssid_params *)
> tlv_pos;
>
> /*
> * max_ssid_length = 0 tells firmware to perform
> * specific scan for the SSID filled, whereas
> * max_ssid_length = IEEE80211_MAX_SSID_LEN is for
> * wildcard scan.
> */
> if (ssid_len)
> wildcard_ssid_tlv->max_ssid_length = 0;
> else
> wildcard_ssid_tlv->max_ssid_length =
> IEEE80211_MAX_SSID_LEN;
>
> memcpy(wildcard_ssid_tlv->ssid,
> user_scan_in->ssid_list[i].ssid, ssid_len);
>
> I expect we want to use __counted_by(ssid_len) instead, but do not have
> it in the struct. And max_ssid_length = 0 when ssid[] is non-empty, so
> is it really appropriate as the __counted_by()? But then again, I
> couldn't get this to produce a warning.
The correct length would be derived from header.len. But IIUC,
__counted_by neither supports nested structs, nor derived values.
But anyway, like you suspect, __counted_by(max_ssid_length) is actually
wrong.
I'd be happy to be enlighted by other experts on CC, but otherwise,
that's a "NACK" for patch 2. Thanks for looking into this though!
Regards,
Brian
> Changes in v2:
> - Add patch to annotate ssid field with __counted_by(max_ssid_length)
>
> drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
> index 4a96281792cc..e4e35ba35454 100644
> --- a/drivers/net/wireless/marvell/mwifiex/fw.h
> +++ b/drivers/net/wireless/marvell/mwifiex/fw.h
> @@ -875,7 +875,7 @@ struct mwifiex_ietypes_chanstats {
> struct mwifiex_ie_types_wildcard_ssid_params {
> struct mwifiex_ie_types_header header;
> u8 max_ssid_length;
> - u8 ssid[];
> + u8 ssid[] __counted_by(max_ssid_length);
> } __packed;
>
> #define TSF_DATA_SIZE 8
> --
> 2.45.2
>
next prev parent reply other threads:[~2024-10-15 22:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-07 22:20 [PATCH v2 1/2] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Alper Nebi Yasak
2024-10-07 22:20 ` [PATCH v2 2/2] wifi: mwifiex: Annotate mwifiex_ie_types_wildcard_ssid_params with __counted_by() Alper Nebi Yasak
2024-10-15 22:06 ` Brian Norris [this message]
2024-10-15 21:34 ` [PATCH v2 1/2] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Brian Norris
2024-10-17 16:50 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zw7nfaYZHP-HIqWQ@google.com \
--to=briannorris@chromium.org \
--cc=alpernebiyasak@gmail.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=dmantipov@yandex.ru \
--cc=francesco@dolcini.it \
--cc=gustavoars@kernel.org \
--cc=johannes.berg@intel.com \
--cc=kees@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_jjohnson@quicinc.com \
--cc=s.hauer@pengutronix.de \
--cc=yu-hao.lin@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).