[next] wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
| Message ID | ZItSlzvIpjdjNfd8@work |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp822530vqr;
Thu, 15 Jun 2023 11:07:36 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ4u6aTt+kn/TjbEbjmuAy3PCltxeQF30tyPRMdDMU5kiWwWkKhHn1o46SlHBivBQ1nWLZ+l
X-Received: by 2002:a17:907:6d1e:b0:97a:e0c0:2f91 with SMTP id
sa30-20020a1709076d1e00b0097ae0c02f91mr17308164ejc.8.1686852456392;
Thu, 15 Jun 2023 11:07:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686852456; cv=none;
d=google.com; s=arc-20160816;
b=HgDZsdN3d6sPWEPtSYjoOrl8z0KKNXb5VH0Un/o+cOVq4tuuknRxQl2b97NEGKYo/P
bTPWb8ANySLDZSDKql15IHTfqZIYIFkz/u6USGXNBrNoEMhWyuHEO9mAHCoxAobJO1Ol
H5dzaV/wakxSi2/0XULu+ioo29PamYxnGrWSqWdfNh3UmXgX6H45UILhDdGfQNLgOpOT
ZD7q1qr2Aoq3KdzVlCA9h+d4Sry8c6Gw1zKaNAhqaYec1ZgRJIkMIgyYSzjILhfmMhnP
LPrfNZbBoqDQkdhYaf74gtAn3F5hKRi3Ew4asaRt3qjPU+Wjdd258ZPAXf1iGHXNii6c
LWeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-disposition:mime-version:message-id
:subject:cc:to:from:date:dkim-signature;
bh=XoG9uotBEeVNEwPlYfuMNrIhWSTAsbJ6F8Xp72xpV1M=;
b=pMlz53EAGMKlz7fix4NBfNtwB0GI1mXKIAnp7HcVPdxuUtLZQYraPUUsfNCS9DbFzr
Q0rI98Q3dxq0d0H6w7Zw4A8Xezg2q6OeMhB80XDIFLMe8KqlQUo8cYSBFrGtLg05p6GC
dpONPd9NtI3HWR+tPyVZni9rybxouCT8fuzgKsc0Z/eqqyAXsEpUlI3lomPQ6tTolqeN
RPlNUdQYr1tjLJWR20cHBT6leSzlkNts0YfqGJ0oGWMblMqgXCWERLC0NpnZ82DB0K66
UYC7k361LDuwhTPFWI+JuXUTcZUNNmO1kX1CrDvRe8qM4VGxAoZY6KWE810vu9Mfgje2
m6/w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P+b6hnjn;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
k11-20020a17090666cb00b00977c98c1412si10028739ejp.834.2023.06.15.11.07.12;
Thu, 15 Jun 2023 11:07:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P+b6hnjn;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234095AbjFOSDQ (ORCPT <rfc822;maxin.john@gmail.com> + 99 others);
Thu, 15 Jun 2023 14:03:16 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57828 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229509AbjFOSDN (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 15 Jun 2023 14:03:13 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A6152949;
Thu, 15 Jun 2023 11:03:12 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by dfw.source.kernel.org (Postfix) with ESMTPS id 9CF1362243;
Thu, 15 Jun 2023 18:03:11 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0504C433C0;
Thu, 15 Jun 2023 18:03:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1686852191;
bh=2pj0TeYHvBeMLyFsjUdIZwPu4aw2LFARw1F9lkF8nA8=;
h=Date:From:To:Cc:Subject:From;
b=P+b6hnjnj9qo5yXSvbeQA7uzmG7mKE0Q8w2EXG0KwOedKXFBf79EaCZWKwwmzzA9D
veAeWfRi/kxZ83n9lauUgX0y1Y1byh+v4MCxJExpgvEH13MDSezhA2HCbh++bb/+/b
ZnL0+Hi10VUaijzW/AQ8yJinh+e0Obnf0eVVfAtQdQVg7eWf8DnS/lzkb64D9F3vxH
BbQ1uVVZTccmNLUxgaE5H9kPR/W6EFOTie/eLNz9+o5hhdfDhrTZE2S4NXD5aPBtx4
/R7a0nJoijCVSXR9TqJZKA1FD9fkczEoIhPJHMy0DsraiuzNnrXM2K4GsBiiERco+c
ewFY5wBAbWNQQ==
Date: Thu, 15 Jun 2023 12:04:07 -0600
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Johannes Berg <johannes@sipsolutions.net>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>
Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-hardening@vger.kernel.org
Subject: [PATCH][next] wifi: wext-core: Fix -Wstringop-overflow warning in
ioctl_standard_iw_point()
Message-ID: <ZItSlzvIpjdjNfd8@work>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1768793000907297462?=
X-GMAIL-MSGID: =?utf-8?q?1768793000907297462?=
|
| Series |
[next] wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
|
|
Commit Message
Gustavo A. R. Silva
June 15, 2023, 6:04 p.m. UTC
-Wstringop-overflow is legitimately warning us about extra_size
pontentially being zero at some point, hence potenially ending
up _allocating_ zero bytes of memory for extra pointer and then
trying to access such object in a call to copy_from_user().
Fix this by adding a sanity check to ensure we never end up
trying to allocate zero bytes of data for extra pointer, before
continue executing the rest of the code in the function.
Address the following -Wstringop-overflow warning seen when built
m68k architecture with allyesconfig configuration:
from net/wireless/wext-core.c:11:
In function '_copy_from_user',
inlined from 'copy_from_user' at include/linux/uaccess.h:183:7,
inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7:
arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
48 | #define memset(d, c, n) __builtin_memset(d, c, n)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/uaccess.h:153:17: note: in expansion of macro 'memset'
153 | memset(to + (n - res), 0, res);
| ^~~~~~
In function 'kmalloc',
inlined from 'kzalloc' at include/linux/slab.h:694:9,
inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10:
include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc'
577 | return __kmalloc(size, flags);
| ^~~~~~~~~~~~~~~~~~~~~~
This help with the ongoing efforts to globally enable
-Wstringop-overflow.
Link: https://github.com/KSPP/linux/issues/315
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
net/wireless/wext-core.c | 6 ++++++
1 file changed, 6 insertions(+)
Comments
On Thu, Jun 15, 2023 at 12:04:07PM -0600, Gustavo A. R. Silva wrote: > -Wstringop-overflow is legitimately warning us about extra_size > pontentially being zero at some point, hence potenially ending nit: checkpatch --codespell suggests: potenially -> potentially > up _allocating_ zero bytes of memory for extra pointer and then > trying to access such object in a call to copy_from_user(). > > Fix this by adding a sanity check to ensure we never end up > trying to allocate zero bytes of data for extra pointer, before > continue executing the rest of the code in the function. > > Address the following -Wstringop-overflow warning seen when built > m68k architecture with allyesconfig configuration: > from net/wireless/wext-core.c:11: > In function '_copy_from_user', > inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, > inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: > arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] > 48 | #define memset(d, c, n) __builtin_memset(d, c, n) > | ^~~~~~~~~~~~~~~~~~~~~~~~~ > include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' > 153 | memset(to + (n - res), 0, res); > | ^~~~~~ > In function 'kmalloc', > inlined from 'kzalloc' at include/linux/slab.h:694:9, > inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: > include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' > 577 | return __kmalloc(size, flags); > | ^~~~~~~~~~~~~~~~~~~~~~ > > This help with the ongoing efforts to globally enable > -Wstringop-overflow. > > Link: https://github.com/KSPP/linux/issues/315 > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Simon Horman <simon.horman@corigine.com>
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c index a125fd1fa134..a161c64d1765 100644 --- a/net/wireless/wext-core.c +++ b/net/wireless/wext-core.c @@ -815,6 +815,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, } } + /* Sanity-check to ensure we never end up _allocating_ zero + * bytes of data for extra. + */ + if (extra_size <= 0) + return -EFAULT; + /* kzalloc() ensures NULL-termination for essid_compat. */ extra = kzalloc(extra_size, GFP_KERNEL); if (!extra)