[v3,0/3] staging: rtl*: Check for NULL header value

Message ID	20220118193327.2822099-1-keescook@chromium.org (mailing list archive)
Headers	show Return-Path: <linux-hardening-owner@kernel.org> From: Kees Cook <keescook@chromium.org> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Kees Cook <keescook@chromium.org>, Larry Finger <Larry.Finger@lwfinger.net>, Phillip Potter <phil@philpotter.co.uk>, Michael Straube <straube.linux@gmail.com>, Fabio Aiuto <fabioaiuto83@gmail.com>, Florian Schilhabel <florian.c.schilhabel@googlemail.com>, Christophe JAILLET <christophe.jaillet@wanadoo.fr>, Zhansaya Bagdauletkyzy <zhansayabagdaulet@gmail.com>, Ivan Safonov <insafonov@gmail.com>, Martin Kaiser <martin@kaiser.cx>, Yang Li <yang.lee@linux.alibaba.com>, Nathan Chancellor <nathan@kernel.org>, Hans de Goede <hdegoede@redhat.com>, Dan Carpenter <dan.carpenter@oracle.com>, Marco Cesati <marcocesati@gmail.com>, Joe Perches <joe@perches.com>, "Fabio M. De Francesco" <fmdefrancesco@gmail.com>, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH v3 0/3] staging: rtl*: Check for NULL header value Date: Tue, 18 Jan 2022 11:33:24 -0800 Message-Id: <20220118193327.2822099-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	staging: rtl: Check for NULL header value \| expand [v3,0/3] staging: rtl: Check for NULL header value [v3,1/3] staging: r8188eu: Drop get_recvframe_data() [v3,2/3] staging: rtl8723bs: Drop get_recvframe_data() [v3,3/3] staging: rtl8712: Drop get_recvframe_data()

Message ID

20220118193327.2822099-1-keescook@chromium.org (mailing list archive)

Headers

From: Kees Cook <keescook@chromium.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kees Cook <keescook@chromium.org>,
        Larry Finger <Larry.Finger@lwfinger.net>,
        Phillip Potter <phil@philpotter.co.uk>,
        Michael Straube <straube.linux@gmail.com>,
        Fabio Aiuto <fabioaiuto83@gmail.com>,
        Florian Schilhabel <florian.c.schilhabel@googlemail.com>,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
        Zhansaya Bagdauletkyzy <zhansayabagdaulet@gmail.com>,
        Ivan Safonov <insafonov@gmail.com>,
        Martin Kaiser <martin@kaiser.cx>,
        Yang Li <yang.lee@linux.alibaba.com>,
        Nathan Chancellor <nathan@kernel.org>,
        Hans de Goede <hdegoede@redhat.com>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Marco Cesati <marcocesati@gmail.com>,
        Joe Perches <joe@perches.com>,
        "Fabio M. De Francesco" <fmdefrancesco@gmail.com>,
        linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev,
        linux-hardening@vger.kernel.org
Subject: [PATCH v3 0/3] staging: rtl*: Check for NULL header value
Date: Tue, 18 Jan 2022 11:33:24 -0800
Message-Id: <20220118193327.2822099-1-keescook@chromium.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

staging: rtl*: Check for NULL header value | expand

Message

Kees Cook Jan. 18, 2022, 7:33 p.m. UTC

Hi,

When building with -Warray-bounds, the following warning is emitted:

In file included from ./include/linux/string.h:253,
                 from ./arch/x86/include/asm/page_32.h:22,
                 from ./arch/x86/include/asm/page.h:14,
                 from ./arch/x86/include/asm/thread_info.h:12,
                 from ./include/linux/thread_info.h:60,
                 from ./arch/x86/include/asm/preempt.h:7,
                 from ./include/linux/preempt.h:78,
                 from ./include/linux/rcupdate.h:27,
                 from ./include/linux/rculist.h:11,
                 from ./include/linux/sched/signal.h:5,
                 from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
                 from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
In function 'memcpy',
    inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
   41 | #define __underlying_memcpy     __builtin_memcpy
      |                                 ^

This is due to various paths to the memcpy() where the compile could
see the destination buffer having a NULL value. This series fixes this
by both eliminating cases where NULL returns were impossible and adding
missing NULL checks where values were possible.

Thanks!

-Kees

v1: https://lore.kernel.org/lkml/20220113002001.3498383-1-keescook@chromium.org/
v2: https://lore.kernel.org/lkml/20220115042427.824542-1-keescook@chromium.org
v3:
 - fix paste-o causing build failures (0day)


Kees Cook (3):
  staging: r8188eu: Drop get_recvframe_data()
  staging: rtl8723bs: Drop get_recvframe_data()
  staging: rtl8712: Drop get_recvframe_data()

 drivers/staging/r8188eu/core/rtw_recv.c        |  6 +++++-
 drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c  |  4 +---
 drivers/staging/r8188eu/include/rtw_recv.h     |  9 ---------
 drivers/staging/rtl8712/rtl871x_recv.c         |  4 ++--
 drivers/staging/rtl8712/rtl871x_recv.h         |  8 --------
 drivers/staging/rtl8723bs/core/rtw_recv.c      | 11 ++++++++---
 drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c |  3 +--
 drivers/staging/rtl8723bs/include/rtw_recv.h   | 11 -----------
 8 files changed, 17 insertions(+), 39 deletions(-)

Comments

Hans de Goede Jan. 20, 2022, 2:32 p.m. UTC | #1

Hi,

On 1/18/22 20:33, Kees Cook wrote:
> Hi,
> 
> When building with -Warray-bounds, the following warning is emitted:
> 
> In file included from ./include/linux/string.h:253,
>                  from ./arch/x86/include/asm/page_32.h:22,
>                  from ./arch/x86/include/asm/page.h:14,
>                  from ./arch/x86/include/asm/thread_info.h:12,
>                  from ./include/linux/thread_info.h:60,
>                  from ./arch/x86/include/asm/preempt.h:7,
>                  from ./include/linux/preempt.h:78,
>                  from ./include/linux/rcupdate.h:27,
>                  from ./include/linux/rculist.h:11,
>                  from ./include/linux/sched/signal.h:5,
>                  from ./drivers/staging/rtl8723bs/include/drv_types.h:17,
>                  from drivers/staging/rtl8723bs/core/rtw_recv.c:7:
> In function 'memcpy',
>     inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2:
> ./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds]
>    41 | #define __underlying_memcpy     __builtin_memcpy
>       |                                 ^
> 
> This is due to various paths to the memcpy() where the compile could
> see the destination buffer having a NULL value. This series fixes this
> by both eliminating cases where NULL returns were impossible and adding
> missing NULL checks where values were possible.
> 
> Thanks!

Thanks, the series looks good to me:

Reviewed-by: Hans de Goede <hdegoede@redhat.com>

for the entire series.

Regards,

Hans




> -Kees
> 
> v1: https://lore.kernel.org/lkml/20220113002001.3498383-1-keescook@chromium.org/
> v2: https://lore.kernel.org/lkml/20220115042427.824542-1-keescook@chromium.org
> v3:
>  - fix paste-o causing build failures (0day)
> 
> 
> Kees Cook (3):
>   staging: r8188eu: Drop get_recvframe_data()
>   staging: rtl8723bs: Drop get_recvframe_data()
>   staging: rtl8712: Drop get_recvframe_data()
> 
>  drivers/staging/r8188eu/core/rtw_recv.c        |  6 +++++-
>  drivers/staging/r8188eu/hal/rtl8188e_rxdesc.c  |  4 +---
>  drivers/staging/r8188eu/include/rtw_recv.h     |  9 ---------
>  drivers/staging/rtl8712/rtl871x_recv.c         |  4 ++--
>  drivers/staging/rtl8712/rtl871x_recv.h         |  8 --------
>  drivers/staging/rtl8723bs/core/rtw_recv.c      | 11 ++++++++---
>  drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c |  3 +--
>  drivers/staging/rtl8723bs/include/rtw_recv.h   | 11 -----------
>  8 files changed, 17 insertions(+), 39 deletions(-)
>