| Message ID | 20211213223331.135412-9-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | Enable strict compile-time memcpy() fortify checks | expand |
Kees Cook <keescook@chromium.org> writes: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memset(), avoid intentionally writing across > neighboring fields. > > Use memset_startat() so memset() doesn't get confused about writing > beyond the destination member that is intended to be the starting point > of zeroing through the end of the struct. Additionally split up a later > field-spanning memset() so that memset() can reason about the size. > > Cc: Kalle Valo <kvalo@codeaurora.org> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: ath11k@lists.infradead.org > Cc: linux-wireless@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> What's the plan for this patch? I would like to take this via my ath tree to avoid conflicts.
Kalle Valo <kvalo@kernel.org> writes: > Kees Cook <keescook@chromium.org> writes: > >> In preparation for FORTIFY_SOURCE performing compile-time and run-time >> field bounds checking for memset(), avoid intentionally writing across >> neighboring fields. >> >> Use memset_startat() so memset() doesn't get confused about writing >> beyond the destination member that is intended to be the starting point >> of zeroing through the end of the struct. Additionally split up a later >> field-spanning memset() so that memset() can reason about the size. >> >> Cc: Kalle Valo <kvalo@codeaurora.org> >> Cc: "David S. Miller" <davem@davemloft.net> >> Cc: Jakub Kicinski <kuba@kernel.org> >> Cc: ath11k@lists.infradead.org >> Cc: linux-wireless@vger.kernel.org >> Cc: netdev@vger.kernel.org >> Signed-off-by: Kees Cook <keescook@chromium.org> > > What's the plan for this patch? I would like to take this via my ath > tree to avoid conflicts. Actually this has been already applied: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?h=ath-next&id=d5549e9a6b86 Why are you submitting the same patch twice?
On Tue, Dec 14, 2021 at 05:46:31PM +0200, Kalle Valo wrote: > Kalle Valo <kvalo@kernel.org> writes: > > > Kees Cook <keescook@chromium.org> writes: > > > >> In preparation for FORTIFY_SOURCE performing compile-time and run-time > >> field bounds checking for memset(), avoid intentionally writing across > >> neighboring fields. > >> > >> Use memset_startat() so memset() doesn't get confused about writing > >> beyond the destination member that is intended to be the starting point > >> of zeroing through the end of the struct. Additionally split up a later > >> field-spanning memset() so that memset() can reason about the size. > >> > >> Cc: Kalle Valo <kvalo@codeaurora.org> > >> Cc: "David S. Miller" <davem@davemloft.net> > >> Cc: Jakub Kicinski <kuba@kernel.org> > >> Cc: ath11k@lists.infradead.org > >> Cc: linux-wireless@vger.kernel.org > >> Cc: netdev@vger.kernel.org > >> Signed-off-by: Kees Cook <keescook@chromium.org> > > > > What's the plan for this patch? I would like to take this via my ath > > tree to avoid conflicts. > > Actually this has been already applied: > > https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?h=ath-next&id=d5549e9a6b86 > > Why are you submitting the same patch twice? These are all part of a topic branch, and the cover letter mentioned that a set of them have already been taken but haven't appeared in -next (which was delayed). Sorry for the confusion!
Kees Cook <keescook@chromium.org> writes: > On Tue, Dec 14, 2021 at 05:46:31PM +0200, Kalle Valo wrote: >> Kalle Valo <kvalo@kernel.org> writes: >> >> > Kees Cook <keescook@chromium.org> writes: >> > >> >> In preparation for FORTIFY_SOURCE performing compile-time and run-time >> >> field bounds checking for memset(), avoid intentionally writing across >> >> neighboring fields. >> >> >> >> Use memset_startat() so memset() doesn't get confused about writing >> >> beyond the destination member that is intended to be the starting point >> >> of zeroing through the end of the struct. Additionally split up a later >> >> field-spanning memset() so that memset() can reason about the size. >> >> >> >> Cc: Kalle Valo <kvalo@codeaurora.org> >> >> Cc: "David S. Miller" <davem@davemloft.net> >> >> Cc: Jakub Kicinski <kuba@kernel.org> >> >> Cc: ath11k@lists.infradead.org >> >> Cc: linux-wireless@vger.kernel.org >> >> Cc: netdev@vger.kernel.org >> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> > >> > What's the plan for this patch? I would like to take this via my ath >> > tree to avoid conflicts. >> >> Actually this has been already applied: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?h=ath-next&id=d5549e9a6b86 >> >> Why are you submitting the same patch twice? > > These are all part of a topic branch, and the cover letter mentioned > that a set of them have already been taken but haven't appeared in -next > (which was delayed). Do note that some wireless drivers (at least ath, mt76 and iwlwifi) are maintained in separate trees, so don't be surprised if it takes several weeks before they are visible in linux-next.
diff --git a/drivers/net/wireless/ath/ath11k/hal_rx.c b/drivers/net/wireless/ath/ath11k/hal_rx.c index 329c404cfa80..0e43e215c10a 100644 --- a/drivers/net/wireless/ath/ath11k/hal_rx.c +++ b/drivers/net/wireless/ath/ath11k/hal_rx.c @@ -29,8 +29,7 @@ static int ath11k_hal_reo_cmd_queue_stats(struct hal_tlv_hdr *tlv, FIELD_PREP(HAL_TLV_HDR_LEN, sizeof(*desc)); desc = (struct hal_reo_get_queue_stats *)tlv->value; - memset(&desc->queue_addr_lo, 0, - (sizeof(*desc) - sizeof(struct hal_reo_cmd_hdr))); + memset_startat(desc, 0, queue_addr_lo); desc->cmd.info0 &= ~HAL_REO_CMD_HDR_INFO0_STATUS_REQUIRED; if (cmd->flag & HAL_REO_CMD_FLG_NEED_STATUS) @@ -62,8 +61,7 @@ static int ath11k_hal_reo_cmd_flush_cache(struct ath11k_hal *hal, struct hal_tlv FIELD_PREP(HAL_TLV_HDR_LEN, sizeof(*desc)); desc = (struct hal_reo_flush_cache *)tlv->value; - memset(&desc->cache_addr_lo, 0, - (sizeof(*desc) - sizeof(struct hal_reo_cmd_hdr))); + memset_startat(desc, 0, cache_addr_lo); desc->cmd.info0 &= ~HAL_REO_CMD_HDR_INFO0_STATUS_REQUIRED; if (cmd->flag & HAL_REO_CMD_FLG_NEED_STATUS) @@ -101,8 +99,7 @@ static int ath11k_hal_reo_cmd_update_rx_queue(struct hal_tlv_hdr *tlv, FIELD_PREP(HAL_TLV_HDR_LEN, sizeof(*desc)); desc = (struct hal_reo_update_rx_queue *)tlv->value; - memset(&desc->queue_addr_lo, 0, - (sizeof(*desc) - sizeof(struct hal_reo_cmd_hdr))); + memset_startat(desc, 0, queue_addr_lo); desc->cmd.info0 &= ~HAL_REO_CMD_HDR_INFO0_STATUS_REQUIRED; if (cmd->flag & HAL_REO_CMD_FLG_NEED_STATUS) @@ -764,15 +761,17 @@ void ath11k_hal_reo_qdesc_setup(void *vaddr, int tid, u32 ba_window_size, * size changes and also send WMI message to FW to change the REO * queue descriptor in Rx peer entry as part of dp_rx_tid_update. */ - memset(ext_desc, 0, 3 * sizeof(*ext_desc)); + memset(ext_desc, 0, sizeof(*ext_desc)); ath11k_hal_reo_set_desc_hdr(&ext_desc->desc_hdr, HAL_DESC_REO_OWNED, HAL_DESC_REO_QUEUE_EXT_DESC, REO_QUEUE_DESC_MAGIC_DEBUG_PATTERN_1); ext_desc++; + memset(ext_desc, 0, sizeof(*ext_desc)); ath11k_hal_reo_set_desc_hdr(&ext_desc->desc_hdr, HAL_DESC_REO_OWNED, HAL_DESC_REO_QUEUE_EXT_DESC, REO_QUEUE_DESC_MAGIC_DEBUG_PATTERN_2); ext_desc++; + memset(ext_desc, 0, sizeof(*ext_desc)); ath11k_hal_reo_set_desc_hdr(&ext_desc->desc_hdr, HAL_DESC_REO_OWNED, HAL_DESC_REO_QUEUE_EXT_DESC, REO_QUEUE_DESC_MAGIC_DEBUG_PATTERN_3);
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Use memset_startat() so memset() doesn't get confused about writing beyond the destination member that is intended to be the starting point of zeroing through the end of the struct. Additionally split up a later field-spanning memset() so that memset() can reason about the size. Cc: Kalle Valo <kvalo@codeaurora.org> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: ath11k@lists.infradead.org Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/net/wireless/ath/ath11k/hal_rx.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-)