| Message ID | 20220608215512.1070847-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 67ea0a2adbf667cd6da4965fbcfd0da741035084 |
| Headers | show |
| Series | staging: rtl8723bs: Allocate full pwep structure | expand |
Le 08/06/2022 à 23:55, Kees Cook a écrit : > The pwep allocation was always being allocated smaller than the true > structure size. Avoid this by always allocating the full structure. > Found with GCC 12 and -Warray-bounds: > > ../drivers/staging/rtl8723bs/os_dep/ioctl_linux.c: In function 'rtw_set_encryption': > ../drivers/staging/rtl8723bs/os_dep/ioctl_linux.c:591:29: warning: array subscript 'struct ndis_802_11_wep[0]' is partly outside array bounds of 'void[25]' [-Warray-bounds] > 591 | pwep->length = wep_total_len; > | ^~ > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: Fabio Aiuto <fabioaiuto83@gmail.com> > Cc: Hans de Goede <hdegoede@redhat.com> > Cc: linux-staging@lists.linux.dev > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > index ece97e37ac91..30374a820496 100644 > --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > @@ -90,7 +90,8 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, > if (wep_key_len > 0) { > wep_key_len = wep_key_len <= 5 ? 5 : 13; > wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material); > - pwep = kzalloc(wep_total_len, GFP_KERNEL); > + /* Allocate a full structure to avoid potentially running off the end. */ > + pwep = kzalloc(sizeof(*pwep), GFP_KERNEL); > if (!pwep) { > ret = -ENOMEM; > goto exit; > @@ -582,7 +583,8 @@ static int rtw_set_encryption(struct net_device *dev, struct ieee_param *param, > if (wep_key_len > 0) { > wep_key_len = wep_key_len <= 5 ? 5 : 13; > wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material); > - pwep = kzalloc(wep_total_len, GFP_KERNEL); > + /* Allocate a full structure to avoid potentially running off the end. */ > + pwep = kzalloc(sizeof(*pwep), GFP_KERNEL); > if (!pwep) Hi, while at it (and un-related tyo your patch), I think that 'ret' should also be updated here, otherwise we return 0. CJ > goto exit; >
On Sat, Jun 18, 2022 at 09:51:36AM +0200, Christophe JAILLET wrote: > > diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > > index ece97e37ac91..30374a820496 100644 > > --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > > +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > > @@ -90,7 +90,8 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, > > if (wep_key_len > 0) { > > wep_key_len = wep_key_len <= 5 ? 5 : 13; > > wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material); > > - pwep = kzalloc(wep_total_len, GFP_KERNEL); > > + /* Allocate a full structure to avoid potentially running off the end. */ > > + pwep = kzalloc(sizeof(*pwep), GFP_KERNEL); > > if (!pwep) { > > ret = -ENOMEM; > > goto exit; > > @@ -582,7 +583,8 @@ static int rtw_set_encryption(struct net_device *dev, struct ieee_param *param, > > if (wep_key_len > 0) { > > wep_key_len = wep_key_len <= 5 ? 5 : 13; > > wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material); > > - pwep = kzalloc(wep_total_len, GFP_KERNEL); > > + /* Allocate a full structure to avoid potentially running off the end. */ > > + pwep = kzalloc(sizeof(*pwep), GFP_KERNEL); > > if (!pwep) > > Hi, > > while at it (and un-related tyo your patch), I think that 'ret' should also > be updated here, otherwise we return 0. > Too late. Smatch does catch that bug btw. drivers/staging/r8188eu/os_dep/ioctl_linux.c:409 wpa_set_encryption() warn: missing error code here? 'kzalloc()' failed. 'ret' = '0' regards, dan carpenter
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index ece97e37ac91..30374a820496 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -90,7 +90,8 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, if (wep_key_len > 0) { wep_key_len = wep_key_len <= 5 ? 5 : 13; wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material); - pwep = kzalloc(wep_total_len, GFP_KERNEL); + /* Allocate a full structure to avoid potentially running off the end. */ + pwep = kzalloc(sizeof(*pwep), GFP_KERNEL); if (!pwep) { ret = -ENOMEM; goto exit; @@ -582,7 +583,8 @@ static int rtw_set_encryption(struct net_device *dev, struct ieee_param *param, if (wep_key_len > 0) { wep_key_len = wep_key_len <= 5 ? 5 : 13; wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, key_material); - pwep = kzalloc(wep_total_len, GFP_KERNEL); + /* Allocate a full structure to avoid potentially running off the end. */ + pwep = kzalloc(sizeof(*pwep), GFP_KERNEL); if (!pwep) goto exit;
The pwep allocation was always being allocated smaller than the true structure size. Avoid this by always allocating the full structure. Found with GCC 12 and -Warray-bounds: ../drivers/staging/rtl8723bs/os_dep/ioctl_linux.c: In function 'rtw_set_encryption': ../drivers/staging/rtl8723bs/os_dep/ioctl_linux.c:591:29: warning: array subscript 'struct ndis_802_11_wep[0]' is partly outside array bounds of 'void[25]' [-Warray-bounds] 591 | pwep->length = wep_total_len; | ^~ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Fabio Aiuto <fabioaiuto83@gmail.com> Cc: Hans de Goede <hdegoede@redhat.com> Cc: linux-staging@lists.linux.dev Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)