From patchwork Tue Jun 20 07:31:57 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dmitry Antipov <dmantipov@yandex.ru>
X-Patchwork-Id: 13285242
X-Patchwork-Delegate: toke@redhat.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F39ADEB64D7
	for <linux-wireless@archiver.kernel.org>;
 Tue, 20 Jun 2023 07:32:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229901AbjFTHct (ORCPT
        <rfc822;linux-wireless@archiver.kernel.org>);
        Tue, 20 Jun 2023 03:32:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36208 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229683AbjFTHcs (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 20 Jun 2023 03:32:48 -0400
Received: from forward102c.mail.yandex.net (forward102c.mail.yandex.net
 [IPv6:2a02:6b8:c03:500:1:45:d181:d102])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1E9711D
        for <linux-wireless@vger.kernel.org>;
 Tue, 20 Jun 2023 00:32:46 -0700 (PDT)
Received: from mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
 (mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
 [IPv6:2a02:6b8:c08:2087:0:640:7bf5:0])
        by forward102c.mail.yandex.net (Yandex) with ESMTP id 756AC6004B;
        Tue, 20 Jun 2023 10:32:44 +0300 (MSK)
Received: by mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
 (smtp/Yandex) with ESMTPSA id UWb0SEqDfiE0-AGNkaZ9G;
        Tue, 20 Jun 2023 10:32:43 +0300
X-Yandex-Fwd: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1687246364;
        bh=s67ry7Co9MPhktxsgxXhz8/DBce/8Tak4qy6/Iz1lww=;
        h=Message-ID:Date:Cc:Subject:To:From;
        b=EtmzobNtIVFrceZeSKxv4ZJbLRBsLbEEhLwDE3Cu5s61KPFkzQLJPW4Rtiw5NHgnD
         BsXd099p1JskoPsBWiKy7dw6JZWjWnbHrlip5jAKFf5W9pemHcsO6Qi6KZVfLiFO3e
         w/l4e3XNErD/ZifyRTdcuMm14kA4SHcBqBsXs+6Q=
Authentication-Results: 
 mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net;
 dkim=pass header.i=@yandex.ru
From: Dmitry Antipov <dmantipov@yandex.ru>
To: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
Cc: Kalle Valo <kvalo@kernel.org>, linux-wireless@vger.kernel.org,
        Dmitry Antipov <dmantipov@yandex.ru>
Subject: [PATCH 1/2] wifi: ath9k: avoid using uninitialized array
Date: Tue, 20 Jun 2023 10:31:57 +0300
Message-ID: <20230620073228.363207-1-dmantipov@yandex.ru>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so
add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'.

Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 drivers/net/wireless/ath/ath9k/xmit.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index f6f2ab7a63ff..8babaaacacf5 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -466,6 +466,8 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf,
 	*nframes = 0;
 
 	isaggr = bf_isaggr(bf);
+	memset(ba, 0, WME_BA_BMP_SIZE >> 3);
+
 	if (isaggr) {
 		seq_st = ts->ts_seqnum;
 		memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);

From patchwork Tue Jun 20 07:31:58 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Dmitry Antipov <dmantipov@yandex.ru>
X-Patchwork-Id: 13285243
X-Patchwork-Delegate: toke@redhat.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BE63BEB64DC
	for <linux-wireless@archiver.kernel.org>;
 Tue, 20 Jun 2023 07:32:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229753AbjFTHcv (ORCPT
        <rfc822;linux-wireless@archiver.kernel.org>);
        Tue, 20 Jun 2023 03:32:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36234 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229683AbjFTHcu (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 20 Jun 2023 03:32:50 -0400
Received: from forward102b.mail.yandex.net (forward102b.mail.yandex.net
 [IPv6:2a02:6b8:c02:900:1:45:d181:d102])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ADBDDF
        for <linux-wireless@vger.kernel.org>;
 Tue, 20 Jun 2023 00:32:48 -0700 (PDT)
Received: from mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
 (mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
 [IPv6:2a02:6b8:c08:2087:0:640:7bf5:0])
        by forward102b.mail.yandex.net (Yandex) with ESMTP id 5DC4A6011D;
        Tue, 20 Jun 2023 10:32:46 +0300 (MSK)
Received: by mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
 (smtp/Yandex) with ESMTPSA id UWb0SEqDfiE0-gyPtXFwZ;
        Tue, 20 Jun 2023 10:32:45 +0300
X-Yandex-Fwd: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1687246365;
        bh=NijMV3+E8XkZYhvELiFDZ8763krT3D51AnOa5G+Egmg=;
        h=Cc:Message-ID:References:Date:In-Reply-To:Subject:To:From;
        b=c8x6xaGFOnlhhNwuIeeTyw4TBlpjiINAg65ice+8Yy7wfkTuj2BpLvguLlY4u8PhD
         fISfsLhCJ6kNsuPlm6243/yjvjF5gOqUfSnoKViiIX3pVW6lcR0D2BMpz73eCLzla+
         hHwggxT4yONILT9Eu97bIdQfAJhcezTmVg126JXA=
Authentication-Results: 
 mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net;
 dkim=pass header.i=@yandex.ru
From: Dmitry Antipov <dmantipov@yandex.ru>
To: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
Cc: Kalle Valo <kvalo@kernel.org>, linux-wireless@vger.kernel.org,
        Dmitry Antipov <dmantipov@yandex.ru>
Subject: [PATCH 2/2] wifi: ath9k: fix fortify warnings
Date: Tue, 20 Jun 2023 10:31:58 +0300
Message-ID: <20230620073228.363207-2-dmantipov@yandex.ru>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <20230620073228.363207-1-dmantipov@yandex.ru>
References: <20230620073228.363207-1-dmantipov@yandex.ru>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y,
I've noticed the following:

In function ‘fortify_memcpy_chk’,
    inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4,
    inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
declared with attribute warning: detected read beyond size of field (2nd parameter);
maybe use struct_group()? [-Wattribute-warning]
  529 |                         __read_overflow2_field(q_size_field, size);
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In function ‘fortify_memcpy_chk’,
    inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3,
    inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2,
    inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
declared with attribute warning: detected read beyond size of field (2nd parameter);
maybe use struct_group()? [-Wattribute-warning]
  529 |                         __read_overflow2_field(q_size_field, size);
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In both cases, the compiler complains on:

memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);

which is the legal way to copy both 'ba_low' and following 'ba_high'
members of 'struct ath_tx_status' at once (that is, issue one 8-byte
'memcpy()' for two 4-byte fields). Since the fortification logic
seems interprets this trick as an attempt to overread 4-byte 'ba_low',
relevant warnings may be silenced by specifying source buffer with
'offsetof()' of the 'ba_low' instead of using an address of the latter.

Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 drivers/net/wireless/ath/ath9k/xmit.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 8babaaacacf5..5a70395a3a2a 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -470,7 +470,8 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf,
 
 	if (isaggr) {
 		seq_st = ts->ts_seqnum;
-		memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
+		memcpy(ba, ts + offsetof(struct ath_tx_status, ba_low),
+		       WME_BA_BMP_SIZE >> 3);
 	}
 
 	while (bf) {
@@ -553,7 +554,8 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
 	if (isaggr && txok) {
 		if (ts->ts_flags & ATH9K_TX_BA) {
 			seq_st = ts->ts_seqnum;
-			memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
+			memcpy(ba, ts + offsetof(struct ath_tx_status, ba_low),
+			       WME_BA_BMP_SIZE >> 3);
 		} else {
 			/*
 			 * AR5416 can become deaf/mute when BA