rtlwifi: rtl8192de: Fully initialize curvecount_val

Message ID	20210617171317.3410722-1-keescook@chromium.org
State	New
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: Kees Cook <keescook@chromium.org> To: Kalle Valo <kvalo@codeaurora.org> Cc: Kees Cook <keescook@chromium.org>, Larry Finger <Larry.Finger@lwfinger.net>, Ping-Ke Shih <pkshih@realtek.com>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Kaixu Xia <kaixuxia@tencent.com>, linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] rtlwifi: rtl8192de: Fully initialize curvecount_val Date: Thu, 17 Jun 2021 10:13:17 -0700 Message-Id: <20210617171317.3410722-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	rtlwifi: rtl8192de: Fully initialize curvecount_val \| expand rtlwifi: rtl8192de: Fully initialize curvecount_val

Message ID

20210617171317.3410722-1-keescook@chromium.org

State

New

Headers

From: Kees Cook <keescook@chromium.org>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: Kees Cook <keescook@chromium.org>,
	Larry Finger <Larry.Finger@lwfinger.net>,
	Ping-Ke Shih <pkshih@realtek.com>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Kaixu Xia <kaixuxia@tencent.com>, linux-kernel@vger.kernel.org,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: [PATCH] rtlwifi: rtl8192de: Fully initialize curvecount_val
Date: Thu, 17 Jun 2021 10:13:17 -0700
Message-Id: <20210617171317.3410722-1-keescook@chromium.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

rtlwifi: rtl8192de: Fully initialize curvecount_val | expand

Commit Message

Kees Cook June 17, 2021, 5:13 p.m. UTC

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring array fields.

The size argument to memset() is bytes, but the array element size
of curvecount_val is u32, so "CV_CURVE_CNT * 2" was only 1/4th of the
contents of curvecount_val. Adjust memset() to wipe full buffer size.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Kalle Valo June 22, 2021, 3:24 p.m. UTC | #1

Kees Cook <keescook@chromium.org> wrote:

> In preparation for FORTIFY_SOURCE performing compile-time and run-time

> field bounds checking for memcpy(), memmove(), and memset(), avoid

> intentionally writing across neighboring array fields.

> 

> The size argument to memset() is bytes, but the array element size

> of curvecount_val is u32, so "CV_CURVE_CNT * 2" was only 1/4th of the

> contents of curvecount_val. Adjust memset() to wipe full buffer size.

> 

> Signed-off-by: Kees Cook <keescook@chromium.org>

> Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>


Patch applied to wireless-drivers-next.git, thanks.

0d5e743db480 rtlwifi: rtl8192de: Fully initialize curvecount_val

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/20210617171317.3410722-1-keescook@chromium.org/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
index 68ec009ea157..76dd881ef9bb 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
@@ -2574,7 +2574,7 @@  static void _rtl92d_phy_lc_calibrate_sw(struct ieee80211_hw *hw, bool is2t)
 			RTPRINT(rtlpriv, FINIT, INIT_IQK,
 				"path-B / 2.4G LCK\n");
 		}
-		memset(&curvecount_val[0], 0, CV_CURVE_CNT * 2);
+		memset(curvecount_val, 0, sizeof(curvecount_val));
 		/* Set LC calibration off */
 		rtl_set_rfreg(hw, (enum radio_path)index, RF_CHNLBW,
 			      0x08000, 0x0);