| Message ID | e03d36114bcbcf814ad13deb7812b0b5c196dadb.1617226663.git.gustavoars@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | wl3501_cs: Fix out-of-bounds warnings | expand |
On Wed, Mar 31, 2021 at 04:44:29PM -0500, Gustavo A. R. Silva wrote: > Fix the following out-of-bounds warning by enclosing > structure members daddr and saddr into new struct addr: > > arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] > > Refactor the code, accordingly: > > $ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o > struct wl3501_md_req { > u16 next_blk; /* 0 2 */ > u8 sig_id; /* 2 1 */ > u8 routing; /* 3 1 */ > u16 data; /* 4 2 */ > u16 size; /* 6 2 */ > u8 pri; /* 8 1 */ > u8 service_class; /* 9 1 */ > struct { > u8 daddr[6]; /* 10 6 */ > u8 saddr[6]; /* 16 6 */ > } addr; /* 10 12 */ > > /* size: 22, cachelines: 1, members: 8 */ > /* last cacheline: 22 bytes */ > }; > > The problem is that the original code is trying to copy data into a > couple of arrays adjacent to each other in a single call to memcpy(). > Now that a new struct _addr_ enclosing those two adjacent arrays > is introduced, memcpy() doesn't overrun the length of &sig.daddr[0], > because the address of the new struct object _addr_ is used as > destination, instead. > > Also, this helps with the ongoing efforts to enable -Warray-bounds and > avoid confusing the compiler. > > Link: https://github.com/KSPP/linux/issues/109 > Reported-by: kernel test robot <lkp@intel.com> > Build-tested-by: kernel test robot <lkp@intel.com> > Link: https://lore.kernel.org/lkml/60641d9b.2eNLedOGSdcSoAV2%25lkp@intel.com/ > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Thanks, this makes the code much easier for the compiler to validate at compile time. These cross-field memcpy()s are weird. I like the solution here. Reviewed-by: Kees Cook <keescook@chromium.org> -- Kees Cook
diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h index e98e04ee9a2c..ef9d605d8c88 100644 --- a/drivers/net/wireless/wl3501.h +++ b/drivers/net/wireless/wl3501.h @@ -471,8 +471,10 @@ struct wl3501_md_req { u16 size; u8 pri; u8 service_class; - u8 daddr[ETH_ALEN]; - u8 saddr[ETH_ALEN]; + struct { + u8 daddr[ETH_ALEN]; + u8 saddr[ETH_ALEN]; + } addr; }; struct wl3501_md_ind { diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c index 8ca5789c7b37..e149ef81d6cc 100644 --- a/drivers/net/wireless/wl3501_cs.c +++ b/drivers/net/wireless/wl3501_cs.c @@ -469,6 +469,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) struct wl3501_md_req sig = { .sig_id = WL3501_SIG_MD_REQ, }; + size_t sig_addr_len = sizeof(sig.addr); u8 *pdata = (char *)data; int rc = -EIO; @@ -484,9 +485,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) goto out; } rc = 0; - memcpy(&sig.daddr[0], pdata, 12); - pktlen = len - 12; - pdata += 12; + memcpy(&sig.addr, pdata, sig_addr_len); + pktlen = len - sig_addr_len; + pdata += sig_addr_len; sig.data = bf; if (((*pdata) * 256 + (*(pdata + 1))) > 1500) { u8 addr4[ETH_ALEN] = {
Fix the following out-of-bounds warning by enclosing structure members daddr and saddr into new struct addr: arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] Refactor the code, accordingly: $ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o struct wl3501_md_req { u16 next_blk; /* 0 2 */ u8 sig_id; /* 2 1 */ u8 routing; /* 3 1 */ u16 data; /* 4 2 */ u16 size; /* 6 2 */ u8 pri; /* 8 1 */ u8 service_class; /* 9 1 */ struct { u8 daddr[6]; /* 10 6 */ u8 saddr[6]; /* 16 6 */ } addr; /* 10 12 */ /* size: 22, cachelines: 1, members: 8 */ /* last cacheline: 22 bytes */ }; The problem is that the original code is trying to copy data into a couple of arrays adjacent to each other in a single call to memcpy(). Now that a new struct _addr_ enclosing those two adjacent arrays is introduced, memcpy() doesn't overrun the length of &sig.daddr[0], because the address of the new struct object _addr_ is used as destination, instead. Also, this helps with the ongoing efforts to enable -Warray-bounds and avoid confusing the compiler. Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot <lkp@intel.com> Build-tested-by: kernel test robot <lkp@intel.com> Link: https://lore.kernel.org/lkml/60641d9b.2eNLedOGSdcSoAV2%25lkp@intel.com/ Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- Changes in v2: - Update changelog text. - Replace a couple of magic numbers with new variable sig_addr_len. drivers/net/wireless/wl3501.h | 6 ++++-- drivers/net/wireless/wl3501_cs.c | 7 ++++--- 2 files changed, 8 insertions(+), 5 deletions(-)