From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>,
Simon Horman <simon.horman@corigine.com>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>,
johannes@sipsolutions.net, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.3 17/22] wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
Date: Sun, 9 Jul 2023 11:13:51 -0400 [thread overview]
Message-ID: <20230709151356.513279-17-sashal@kernel.org> (raw)
In-Reply-To: <20230709151356.513279-1-sashal@kernel.org>
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ]
-Wstringop-overflow is legitimately warning us about extra_size
pontentially being zero at some point, hence potenially ending
up _allocating_ zero bytes of memory for extra pointer and then
trying to access such object in a call to copy_from_user().
Fix this by adding a sanity check to ensure we never end up
trying to allocate zero bytes of data for extra pointer, before
continue executing the rest of the code in the function.
Address the following -Wstringop-overflow warning seen when built
m68k architecture with allyesconfig configuration:
from net/wireless/wext-core.c:11:
In function '_copy_from_user',
inlined from 'copy_from_user' at include/linux/uaccess.h:183:7,
inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7:
arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
48 | #define memset(d, c, n) __builtin_memset(d, c, n)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/uaccess.h:153:17: note: in expansion of macro 'memset'
153 | memset(to + (n - res), 0, res);
| ^~~~~~
In function 'kmalloc',
inlined from 'kzalloc' at include/linux/slab.h:694:9,
inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10:
include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc'
577 | return __kmalloc(size, flags);
| ^~~~~~~~~~~~~~~~~~~~~~
This help with the ongoing efforts to globally enable
-Wstringop-overflow.
Link: https://github.com/KSPP/linux/issues/315
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/wext-core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index a125fd1fa1342..a161c64d1765e 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -815,6 +815,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
}
}
+ /* Sanity-check to ensure we never end up _allocating_ zero
+ * bytes of data for extra.
+ */
+ if (extra_size <= 0)
+ return -EFAULT;
+
/* kzalloc() ensures NULL-termination for essid_compat. */
extra = kzalloc(extra_size, GFP_KERNEL);
if (!extra)
--
2.39.2
next prev parent reply other threads:[~2023-07-09 15:16 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-09 15:13 [PATCH AUTOSEL 6.3 01/22] wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 02/22] bpf: Print a warning only if writing to unprivileged_bpf_disabled Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 03/22] wifi: rtw89: 8851be: add 8851BE PCI entry and fill PCI capabilities Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 04/22] spi: s3c64xx: change polling mode to optional Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 05/22] bpf: Address KCSAN report on bpf_lru_list Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 06/22] bpf: tcp: Avoid taking fast sock lock in iterator Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 07/22] bpf: Silence a warning in btf_type_id_size() Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 08/22] devlink: make health report on unregistered instance warn just once Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 09/22] wifi: ath11k: add support default regdb while searching board-2.bin for WCN6855 Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 10/22] wifi: mac80211_hwsim: Fix possible NULL dereference Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 11/22] spi: dw: Add compatible for Intel Mount Evans SoC Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 12/22] wifi: ath12k: Avoid NULL pointer access during management transmit cleanup Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 13/22] wifi: ath11k: fix memory leak in WMI firmware stats Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 14/22] wifi: iwlwifi: mvm: fix potential array out of bounds access Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 15/22] net: ethernet: litex: add support for 64 bit stats Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 16/22] devlink: report devlink_port_type_warn source device Sasha Levin
2023-07-09 15:13 ` Sasha Levin [this message]
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 18/22] wifi: iwlwifi: Add support for new PCI Id Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 19/22] wifi: iwlwifi: mvm: avoid baid size integer overflow Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 20/22] wifi: iwlwifi: pcie: add device id 51F1 for killer 1675 Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 21/22] igb: Fix igb_down hung on surprise removal Sasha Levin
2023-07-09 15:13 ` [PATCH AUTOSEL 6.3 22/22] net: hns3: fix strncpy() not using dest-buf length as length issue Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230709151356.513279-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gustavoars@kernel.org \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=simon.horman@corigine.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox