From patchwork Thu Jun 15 18:04:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 108673 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp822530vqr; Thu, 15 Jun 2023 11:07:36 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4u6aTt+kn/TjbEbjmuAy3PCltxeQF30tyPRMdDMU5kiWwWkKhHn1o46SlHBivBQ1nWLZ+l X-Received: by 2002:a17:907:6d1e:b0:97a:e0c0:2f91 with SMTP id sa30-20020a1709076d1e00b0097ae0c02f91mr17308164ejc.8.1686852456392; Thu, 15 Jun 2023 11:07:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686852456; cv=none; d=google.com; s=arc-20160816; b=HgDZsdN3d6sPWEPtSYjoOrl8z0KKNXb5VH0Un/o+cOVq4tuuknRxQl2b97NEGKYo/P bTPWb8ANySLDZSDKql15IHTfqZIYIFkz/u6USGXNBrNoEMhWyuHEO9mAHCoxAobJO1Ol H5dzaV/wakxSi2/0XULu+ioo29PamYxnGrWSqWdfNh3UmXgX6H45UILhDdGfQNLgOpOT ZD7q1qr2Aoq3KdzVlCA9h+d4Sry8c6Gw1zKaNAhqaYec1ZgRJIkMIgyYSzjILhfmMhnP LPrfNZbBoqDQkdhYaf74gtAn3F5hKRi3Ew4asaRt3qjPU+Wjdd258ZPAXf1iGHXNii6c LWeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=XoG9uotBEeVNEwPlYfuMNrIhWSTAsbJ6F8Xp72xpV1M=; b=pMlz53EAGMKlz7fix4NBfNtwB0GI1mXKIAnp7HcVPdxuUtLZQYraPUUsfNCS9DbFzr Q0rI98Q3dxq0d0H6w7Zw4A8Xezg2q6OeMhB80XDIFLMe8KqlQUo8cYSBFrGtLg05p6GC dpONPd9NtI3HWR+tPyVZni9rybxouCT8fuzgKsc0Z/eqqyAXsEpUlI3lomPQ6tTolqeN RPlNUdQYr1tjLJWR20cHBT6leSzlkNts0YfqGJ0oGWMblMqgXCWERLC0NpnZ82DB0K66 UYC7k361LDuwhTPFWI+JuXUTcZUNNmO1kX1CrDvRe8qM4VGxAoZY6KWE810vu9Mfgje2 m6/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P+b6hnjn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k11-20020a17090666cb00b00977c98c1412si10028739ejp.834.2023.06.15.11.07.12; Thu, 15 Jun 2023 11:07:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P+b6hnjn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234095AbjFOSDQ (ORCPT + 99 others); Thu, 15 Jun 2023 14:03:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229509AbjFOSDN (ORCPT ); Thu, 15 Jun 2023 14:03:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A6152949; Thu, 15 Jun 2023 11:03:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9CF1362243; Thu, 15 Jun 2023 18:03:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0504C433C0; Thu, 15 Jun 2023 18:03:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1686852191; bh=2pj0TeYHvBeMLyFsjUdIZwPu4aw2LFARw1F9lkF8nA8=; h=Date:From:To:Cc:Subject:From; b=P+b6hnjnj9qo5yXSvbeQA7uzmG7mKE0Q8w2EXG0KwOedKXFBf79EaCZWKwwmzzA9D veAeWfRi/kxZ83n9lauUgX0y1Y1byh+v4MCxJExpgvEH13MDSezhA2HCbh++bb/+/b ZnL0+Hi10VUaijzW/AQ8yJinh+e0Obnf0eVVfAtQdQVg7eWf8DnS/lzkb64D9F3vxH BbQ1uVVZTccmNLUxgaE5H9kPR/W6EFOTie/eLNz9+o5hhdfDhrTZE2S4NXD5aPBtx4 /R7a0nJoijCVSXR9TqJZKA1FD9fkczEoIhPJHMy0DsraiuzNnrXM2K4GsBiiERco+c ewFY5wBAbWNQQ== Date: Thu, 15 Jun 2023 12:04:07 -0600 From: "Gustavo A. R. Silva" To: Johannes Berg , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org Subject: [PATCH][next] wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point() Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768793000907297462?= X-GMAIL-MSGID: =?utf-8?q?1768793000907297462?= -Wstringop-overflow is legitimately warning us about extra_size pontentially being zero at some point, hence potenially ending up _allocating_ zero bytes of memory for extra pointer and then trying to access such object in a call to copy_from_user(). Fix this by adding a sanity check to ensure we never end up trying to allocate zero bytes of data for extra pointer, before continue executing the rest of the code in the function. Address the following -Wstringop-overflow warning seen when built m68k architecture with allyesconfig configuration: from net/wireless/wext-core.c:11: In function '_copy_from_user', inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] 48 | #define memset(d, c, n) __builtin_memset(d, c, n) | ^~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' 153 | memset(to + (n - res), 0, res); | ^~~~~~ In function 'kmalloc', inlined from 'kzalloc' at include/linux/slab.h:694:9, inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' 577 | return __kmalloc(size, flags); | ^~~~~~~~~~~~~~~~~~~~~~ This help with the ongoing efforts to globally enable -Wstringop-overflow. Link: https://github.com/KSPP/linux/issues/315 Signed-off-by: Gustavo A. R. Silva Reviewed-by: Simon Horman --- net/wireless/wext-core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c index a125fd1fa134..a161c64d1765 100644 --- a/net/wireless/wext-core.c +++ b/net/wireless/wext-core.c @@ -815,6 +815,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, } } + /* Sanity-check to ensure we never end up _allocating_ zero + * bytes of data for extra. + */ + if (extra_size <= 0) + return -EFAULT; + /* kzalloc() ensures NULL-termination for essid_compat. */ extra = kzalloc(extra_size, GFP_KERNEL); if (!extra)