Message ID | 20210727205855.411487-8-keescook@chromium.org (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
Series | Introduce strict memcpy() bounds checking | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Guessing tree name failed - patch did not apply |
On 7/27/21 3:57 PM, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring fields. > > Use struct_group() around members addr1, addr2, and addr3 in struct > rtllib_hdr_4addr, and members qui, qui_type, qui_subtype, version, > and ac_info in struct rtllib_qos_information_element, so they can be > referenced together. This will allow memcpy() and sizeof() to more easily > reason about sizes, improve readability, and avoid future warnings about > writing beyond the end of addr1 and qui. > > "pahole" shows no size nor member offset changes to struct > rtllib_hdr_4addr nor struct rtllib_qos_information_element. "objdump -d" > shows no meaningful object code changes (i.e. only source line number > induced differences and optimizations). > > Signed-off-by: Kees Cook<keescook@chromium.org> Tested-by: Larry Finger <Larry.Finger@lwfinger.net> Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Looks good. Larry
On Tue, Jul 27, 2021 at 01:57:58PM -0700, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring fields. > > Use struct_group() around members addr1, addr2, and addr3 in struct > rtllib_hdr_4addr, and members qui, qui_type, qui_subtype, version, > and ac_info in struct rtllib_qos_information_element, so they can be > referenced together. This will allow memcpy() and sizeof() to more easily > reason about sizes, improve readability, and avoid future warnings about > writing beyond the end of addr1 and qui. > > "pahole" shows no size nor member offset changes to struct > rtllib_hdr_4addr nor struct rtllib_qos_information_element. "objdump -d" > shows no meaningful object code changes (i.e. only source line number > induced differences and optimizations). > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > drivers/staging/rtl8192e/rtllib.h | 20 ++++++++++++-------- > drivers/staging/rtl8192e/rtllib_crypt_ccmp.c | 3 ++- > drivers/staging/rtl8192e/rtllib_rx.c | 8 ++++---- > 3 files changed, 18 insertions(+), 13 deletions(-) Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/staging/rtl8192e/rtllib.h b/drivers/staging/rtl8192e/rtllib.h index c6f8b772335c..547579070a82 100644 --- a/drivers/staging/rtl8192e/rtllib.h +++ b/drivers/staging/rtl8192e/rtllib.h @@ -759,9 +759,11 @@ struct rtllib_hdr_3addr { struct rtllib_hdr_4addr { __le16 frame_ctl; __le16 duration_id; - u8 addr1[ETH_ALEN]; - u8 addr2[ETH_ALEN]; - u8 addr3[ETH_ALEN]; + struct_group(addrs, + u8 addr1[ETH_ALEN]; + u8 addr2[ETH_ALEN]; + u8 addr3[ETH_ALEN]; + ); __le16 seq_ctl; u8 addr4[ETH_ALEN]; u8 payload[]; @@ -921,11 +923,13 @@ union frameqos { struct rtllib_qos_information_element { u8 elementID; u8 length; - u8 qui[QOS_OUI_LEN]; - u8 qui_type; - u8 qui_subtype; - u8 version; - u8 ac_info; + struct_group(data, + u8 qui[QOS_OUI_LEN]; + u8 qui_type; + u8 qui_subtype; + u8 version; + u8 ac_info; + ); } __packed; struct rtllib_qos_ac_parameter { diff --git a/drivers/staging/rtl8192e/rtllib_crypt_ccmp.c b/drivers/staging/rtl8192e/rtllib_crypt_ccmp.c index b60e2a109ce4..66b3a13fced7 100644 --- a/drivers/staging/rtl8192e/rtllib_crypt_ccmp.c +++ b/drivers/staging/rtl8192e/rtllib_crypt_ccmp.c @@ -133,7 +133,8 @@ static int ccmp_init_iv_and_aad(struct rtllib_hdr_4addr *hdr, pos = (u8 *) hdr; aad[0] = pos[0] & 0x8f; aad[1] = pos[1] & 0xc7; - memcpy(aad + 2, hdr->addr1, 3 * ETH_ALEN); + BUILD_BUG_ON(sizeof(hdr->addrs) != (3 * ETH_ALEN)); + memcpy(aad + 2, &hdr->addrs, 3 * ETH_ALEN); pos = (u8 *) &hdr->seq_ctl; aad[20] = pos[0] & 0x0f; aad[21] = 0; /* all bits masked */ diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c index c2209c033838..9c4b686d2756 100644 --- a/drivers/staging/rtl8192e/rtllib_rx.c +++ b/drivers/staging/rtl8192e/rtllib_rx.c @@ -1576,13 +1576,13 @@ static int rtllib_read_qos_param_element(struct rtllib_qos_parameter_info *info_element) { int ret = 0; - u16 size = sizeof(struct rtllib_qos_parameter_info) - 2; + u16 size = sizeof(element_param->info_element.data); if ((info_element == NULL) || (element_param == NULL)) return -1; if (info_element->id == QOS_ELEMENT_ID && info_element->len == size) { - memcpy(element_param->info_element.qui, info_element->data, + memcpy(&element_param->info_element.data, info_element->data, info_element->len); element_param->info_element.elementID = info_element->id; element_param->info_element.length = info_element->len; @@ -1601,7 +1601,7 @@ static int rtllib_read_qos_info_element(struct rtllib_qos_information_element *info_element) { int ret = 0; - u16 size = sizeof(struct rtllib_qos_information_element) - 2; + u16 size = sizeof(element_info->data); if (element_info == NULL) return -1; @@ -1610,7 +1610,7 @@ static int rtllib_read_qos_info_element(struct rtllib_qos_information_element if ((info_element->id == QOS_ELEMENT_ID) && (info_element->len == size)) { - memcpy(element_info->qui, info_element->data, + memcpy(&element_info->data, info_element->data, info_element->len); element_info->elementID = info_element->id; element_info->length = info_element->len;
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() around members addr1, addr2, and addr3 in struct rtllib_hdr_4addr, and members qui, qui_type, qui_subtype, version, and ac_info in struct rtllib_qos_information_element, so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of addr1 and qui. "pahole" shows no size nor member offset changes to struct rtllib_hdr_4addr nor struct rtllib_qos_information_element. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations). Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/staging/rtl8192e/rtllib.h | 20 ++++++++++++-------- drivers/staging/rtl8192e/rtllib_crypt_ccmp.c | 3 ++- drivers/staging/rtl8192e/rtllib_rx.c | 8 ++++---- 3 files changed, 18 insertions(+), 13 deletions(-)