From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dmitry Antipov <dmantipov@yandex.ru>,
Brian Norris <briannorris@chromium.org>,
Kalle Valo <kvalo@kernel.org>, Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 06/26] wifi: mwifiex: fix fortify warning
Date: Fri, 8 Sep 2023 14:17:44 -0400 [thread overview]
Message-ID: <20230908181806.3460164-6-sashal@kernel.org> (raw)
In-Reply-To: <20230908181806.3460164-1-sashal@kernel.org>
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit dcce94b80a954a8968ff29fafcfb066d6197fa9a ]
When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y,
I've noticed the following:
In function ‘fortify_memcpy_chk’,
inlined from ‘mwifiex_construct_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:765:3,
inlined from ‘mwifiex_send_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:856:6:
./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
declared with attribute warning: detected read beyond size of field (2nd parameter);
maybe use struct_group()? [-Wattribute-warning]
529 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The compiler actually complains on:
memmove(pos + ETH_ALEN, &mgmt->u.action.category,
sizeof(mgmt->u.action.u.tdls_discover_resp));
and it happens because the fortification logic interprets this
as an attempt to overread 1-byte 'u.action.category' member of
'struct ieee80211_mgmt'. To silence this warning, it's enough
to pass an address of 'u.action' itself instead of an address
of its first member.
This also fixes an improper usage of 'sizeof()'. Since 'skb' is
extended with 'sizeof(mgmt->u.action.u.tdls_discover_resp) + 1'
bytes (where 1 is actually 'sizeof(mgmt->u.action.category)'),
I assume that the same number of bytes should be copied.
Suggested-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230629085115.180499-2-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/tdls.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
index 97bb87c3676bb..6c60621b6cccb 100644
--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
+++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
@@ -735,6 +735,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv,
int ret;
u16 capab;
struct ieee80211_ht_cap *ht_cap;
+ unsigned int extra;
u8 radio, *pos;
capab = priv->curr_bss_params.bss_descriptor.cap_info_bitmap;
@@ -753,7 +754,10 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv,
switch (action_code) {
case WLAN_PUB_ACTION_TDLS_DISCOVER_RES:
- skb_put(skb, sizeof(mgmt->u.action.u.tdls_discover_resp) + 1);
+ /* See the layout of 'struct ieee80211_mgmt'. */
+ extra = sizeof(mgmt->u.action.u.tdls_discover_resp) +
+ sizeof(mgmt->u.action.category);
+ skb_put(skb, extra);
mgmt->u.action.category = WLAN_CATEGORY_PUBLIC;
mgmt->u.action.u.tdls_discover_resp.action_code =
WLAN_PUB_ACTION_TDLS_DISCOVER_RES;
@@ -762,8 +766,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv,
mgmt->u.action.u.tdls_discover_resp.capability =
cpu_to_le16(capab);
/* move back for addr4 */
- memmove(pos + ETH_ALEN, &mgmt->u.action.category,
- sizeof(mgmt->u.action.u.tdls_discover_resp));
+ memmove(pos + ETH_ALEN, &mgmt->u.action, extra);
/* init address 4 */
eth_broadcast_addr(pos);
--
2.40.1
next prev parent reply other threads:[~2023-09-08 18:21 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-08 18:17 [PATCH AUTOSEL 6.1 01/26] devlink: remove reload failed checks in params get/set callbacks Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 02/26] crypto: lrw,xts - Replace strlcpy with strscpy Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 03/26] ice: Don't tx before switchdev is fully configured Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 04/26] wifi: ath9k: fix fortify warnings Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 05/26] wifi: ath9k: fix printk specifier Sasha Levin
2023-09-08 18:17 ` Sasha Levin [this message]
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 07/26] mt76: mt7921: don't assume adequate headroom for SDIO headers Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 08/26] wifi: wil6210: fix fortify warnings Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 09/26] can: sun4i_can: Add acceptance register quirk Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 10/26] can: sun4i_can: Add support for the Allwinner D1 Sasha Levin
2023-09-11 9:47 ` Pavel Machek
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 11/26] net: Use sockaddr_storage for getsockopt(SO_PEERNAME) Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 12/26] net/ipv4: return the real errno instead of -EINVAL Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 13/26] crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 14/26] Bluetooth: Fix hci_suspend_sync crash Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 15/26] netlink: convert nlk->flags to atomic flags Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 16/26] tpm_tis: Resend command to recover from data transfer errors Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 17/26] mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450 Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 18/26] alx: fix OOB-read compiler warning Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 19/26] wifi: mac80211: check S1G action frame size Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 20/26] netfilter: ebtables: fix fortify warnings in size_entry_mwt() Sasha Levin
2023-09-08 18:17 ` [PATCH AUTOSEL 6.1 21/26] wifi: cfg80211: reject auth/assoc to AP with our address Sasha Levin
2023-09-08 18:18 ` [PATCH AUTOSEL 6.1 22/26] wifi: cfg80211: ocb: don't leave if not joined Sasha Levin
2023-09-08 18:18 ` [PATCH AUTOSEL 6.1 23/26] wifi: mac80211: check for station first in client probe Sasha Levin
2023-09-08 18:18 ` [PATCH AUTOSEL 6.1 24/26] wifi: mac80211_hwsim: drop short frames Sasha Levin
2023-09-08 18:18 ` [PATCH AUTOSEL 6.1 25/26] libbpf: Free btf_vmlinux when closing bpf_object Sasha Levin
2023-09-08 18:18 ` [PATCH AUTOSEL 6.1 26/26] Bluetooth: btusb: Fix quirks table naming Sasha Levin
2023-09-08 21:44 ` [PATCH AUTOSEL 6.1 01/26] devlink: remove reload failed checks in params get/set callbacks Jacob Keller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230908181806.3460164-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=briannorris@chromium.org \
--cc=dmantipov@yandex.ru \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox