From patchwork Thu Aug 19 20:28:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 500851 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC8BAC43216 for ; Thu, 19 Aug 2021 20:28:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B362C610FA for ; Thu, 19 Aug 2021 20:28:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235505AbhHSU3L (ORCPT ); Thu, 19 Aug 2021 16:29:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235265AbhHSU3H (ORCPT ); Thu, 19 Aug 2021 16:29:07 -0400 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D75EC0617AD for ; Thu, 19 Aug 2021 13:28:29 -0700 (PDT) Received: by mail-pf1-x42c.google.com with SMTP id 18so6597898pfh.9 for ; Thu, 19 Aug 2021 13:28:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=23NqigPoreurbrTRI3DzstnCrCz1u9qo8AUicrCllIQ=; b=F/aXFSEFO3B0S1KjxtCFJ0bHN8UOoU5i9j7QIQ9H4wCLpPExP8i4eq1nUqdGC+vTAl qpkYSn/zo5uF001tqNcSIy5OHDEEyNlsMGJFCO4L+E7F3tNOhKH/pjcDNRFmTt4sIiKy R+62ZU9GtHuOUMyC4YOREpkj2XaWxyuMRkKPQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=23NqigPoreurbrTRI3DzstnCrCz1u9qo8AUicrCllIQ=; b=f31uhpE2hiZ8h4i551dASh8lvRhDFO0pvflkCFdfNR9hSaQu33kEB4XPkxVEX5lvPE Gm9WSeuCxiTQvmEEVPSQxcRQKgupttHL/OaZuOqtW2y8Ezl5C9VY//673ijdOjaJioVJ aCL1pPt6TncL430XwTfuLpyRUddhkns57FvdSOuv5yYrKNQt42tpvl2mClz8tiCCfcfP RKWL6GaqVbdcFfjYY1yT1r0UGc0l4sBJvWTjFgX2v3d854TAsdR3VcFxnHhGVr2Zp44v 3H5G6+0V3k+vISFFk1wK17Zoe1MQu9JES+B1gTs/ZENN186tD3aT7XICe544u46u3xPj I6oA== X-Gm-Message-State: AOAM5331tjIJju4AGQwfh93/kaHq7INLI4EhKfVzr7KChiEAmHO4PCT1 ffFs4B4gvIkETkVwZAJa4mixpg== X-Google-Smtp-Source: ABdhPJz+KOpZhGJ5FXJOigQpPSgrYjpb97GBUvqFXR+qoBMUxfptkbVry7hNayEJ2a7UzVP906Pfwg== X-Received: by 2002:aa7:8b07:0:b029:3c7:c29f:9822 with SMTP id f7-20020aa78b070000b02903c7c29f9822mr15973588pfd.33.1629404909020; Thu, 19 Aug 2021 13:28:29 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k25sm4370211pfa.213.2021.08.19.13.28.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Aug 2021 13:28:27 -0700 (PDT) From: Kees Cook To: netdev@vger.kernel.org Cc: Kees Cook , Stanislav Yakovlev , Kalle Valo , "David S. Miller" , Jakub Kicinski , linux-wireless@vger.kernel.org, Saeed Mahameed , Leon Romanovsky , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, bpf@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/3] ipw2x00: Avoid field-overflowing memcpy() Date: Thu, 19 Aug 2021 13:28:23 -0700 Message-Id: <20210819202825.3545692-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210819202825.3545692-1-keescook@chromium.org> References: <20210819202825.3545692-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4716; h=from:subject; bh=3b5t4fLR/wEetR2E8Hwk2j3VzU8yz2BgAEsleqg3XAU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHr7o3RE3VXLm1V4wHPPpY4uHLTNlH2i9cpT7/zcX 6bMNqjOJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYR6+6AAKCRCJcvTf3G3AJumUD/ 0f1bg3FbVuqAiMBaS9IMEbmlwImkHFdXvVqAGU0c0JnDVZSLl2o2jU4irNcZfOHOGiyYpNUxA8mBNP Y0BXEwPXwzfEODoS/bKlfvvDB4v5d0nQoewu4eFdhGrxNUqnaYxIf2ZgkWFpbxJQnWNR9PSXhdRv/7 8Xe1K+TlHO/3aUYVYuWA/xyvHtdSpptiyvVf3SzuCCmB1Nxzl1mT2w8+AUzjXJ33G+FItKamDkI9iU fpmEm+7I35jZniX3qbMeW+pB/I1M/xgCAPZSeRkDk+x+5wL+ENoCG8oWONDewGhXmjydCkRSIcCinC Iw5eONYFN8dyEG0CljmQvmUrLMIaIowHZwfIbrnf2We+VJEMYCDc6DwIe6OB/fNutrXM0C7eF9il4z PrdDwnVMQawJ9pmSFF8T8fSvCFQ5IYh7/qiP+bYkKv6D6iBH8sep+aWaGHsPbXJCBTV4MSCj8Htluh T2+HVUM+wthFo1IgE64PMPX1dOnTXs6C/w+96vYw3d8flThTGS4zgwyEIXUBWVuqFeyl6zwyNeC2s8 91oO/WcGpuQ7nfQe/lhNmXygtElyjfy8OrkfQqJzAHjJOr7/h9InrqLU8Q93mnIFEx2mDaWcrJUMYR sQ8w+xtOk+PnA9bV07nr3lpdK4YQX8rffoX2nSX4l2Yc4i2FTP3Z66PxBt+Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. libipw_read_qos_param_element() copies a struct libipw_info_element into a struct libipw_qos_information_element, but is actually wanting to copy into the larger struct libipw_qos_parameter_info (the contents of ac_params_record[] is later examined). Refactor the routine to perform centralized checks, and copy the entire contents directly (since the id and len members match the elementID and length members): struct libipw_info_element { u8 id; u8 len; u8 data[]; } __packed; struct libipw_qos_information_element { u8 elementID; u8 length; u8 qui[QOS_OUI_LEN]; u8 qui_type; u8 qui_subtype; u8 version; u8 ac_info; } __packed; struct libipw_qos_parameter_info { struct libipw_qos_information_element info_element; u8 reserved; struct libipw_qos_ac_parameter ac_params_record[QOS_QUEUE_NUM]; } __packed; Cc: Stanislav Yakovlev Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- .../net/wireless/intel/ipw2x00/libipw_rx.c | 56 ++++++------------- 1 file changed, 17 insertions(+), 39 deletions(-) diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c index 5a2a723e480b..7a684b76f39b 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c +++ b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c @@ -927,7 +927,8 @@ static u8 qos_oui[QOS_OUI_LEN] = { 0x00, 0x50, 0xF2 }; static int libipw_verify_qos_info(struct libipw_qos_information_element *info_element, int sub_type) { - + if (info_element->elementID != QOS_ELEMENT_ID) + return -1; if (info_element->qui_subtype != sub_type) return -1; if (memcmp(info_element->qui, qos_oui, QOS_OUI_LEN)) @@ -943,57 +944,34 @@ static int libipw_verify_qos_info(struct libipw_qos_information_element /* * Parse a QoS parameter element */ -static int libipw_read_qos_param_element(struct libipw_qos_parameter_info - *element_param, struct libipw_info_element - *info_element) +static int libipw_read_qos_param_element( + struct libipw_qos_parameter_info *element_param, + struct libipw_info_element *info_element) { - int ret = 0; - u16 size = sizeof(struct libipw_qos_parameter_info) - 2; + size_t size = sizeof(*element_param); - if ((info_element == NULL) || (element_param == NULL)) + if (!element_param || !info_element || info_element->len != size - 2) return -1; - if (info_element->id == QOS_ELEMENT_ID && info_element->len == size) { - memcpy(element_param->info_element.qui, info_element->data, - info_element->len); - element_param->info_element.elementID = info_element->id; - element_param->info_element.length = info_element->len; - } else - ret = -1; - if (ret == 0) - ret = libipw_verify_qos_info(&element_param->info_element, - QOS_OUI_PARAM_SUB_TYPE); - return ret; + memcpy(element_param, info_element, size); + return libipw_verify_qos_info(&element_param->info_element, + QOS_OUI_PARAM_SUB_TYPE); } /* * Parse a QoS information element */ -static int libipw_read_qos_info_element(struct - libipw_qos_information_element - *element_info, struct libipw_info_element - *info_element) +static int libipw_read_qos_info_element( + struct libipw_qos_information_element *element_info, + struct libipw_info_element *info_element) { - int ret = 0; - u16 size = sizeof(struct libipw_qos_information_element) - 2; + size_t size = sizeof(struct libipw_qos_information_element) - 2; - if (element_info == NULL) + if (!element_info || !info_element || info_element->len != size - 2) return -1; - if (info_element == NULL) - return -1; - - if ((info_element->id == QOS_ELEMENT_ID) && (info_element->len == size)) { - memcpy(element_info->qui, info_element->data, - info_element->len); - element_info->elementID = info_element->id; - element_info->length = info_element->len; - } else - ret = -1; - if (ret == 0) - ret = libipw_verify_qos_info(element_info, - QOS_OUI_INFO_SUB_TYPE); - return ret; + memcpy(element_info, info_element, size); + return libipw_verify_qos_info(element_info, QOS_OUI_INFO_SUB_TYPE); } /* From patchwork Thu Aug 19 20:28:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 500127 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C99CDC432BE for ; Thu, 19 Aug 2021 20:28:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id ACF70610FA for ; Thu, 19 Aug 2021 20:28:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235379AbhHSU3H (ORCPT ); Thu, 19 Aug 2021 16:29:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231135AbhHSU3G (ORCPT ); Thu, 19 Aug 2021 16:29:06 -0400 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 206C7C061575 for ; Thu, 19 Aug 2021 13:28:29 -0700 (PDT) Received: by mail-pg1-x52d.google.com with SMTP id e7so6972432pgk.2 for ; Thu, 19 Aug 2021 13:28:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=LmJ99teUGdinNbfoKjiCNsrT2KdowhAH1C31uHkGRNA=; b=Dj15yo21NCrkIvM7NC1lrgzKnXjpR6Ran1CaUSVIc7SDs+XJQu4+4SIyboeBH2p0+3 N8nGdctdwQHRXi+AuCSq4u8lcVPv+/dBJ6wSYJ3XdJGosYQ6TiqS0KWc1gyWYzhKmmYw 3lPlg0n+jRA26KK/nvtftN5I3bOswZf505Pqk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=LmJ99teUGdinNbfoKjiCNsrT2KdowhAH1C31uHkGRNA=; b=GWG/0Z/VIqLWAN/m55LoCAVeLfJTuSya1U1xveglS7ZXOHXPFmVKCwEwTzQ4wwdUje Zwau13NiItVy1R36wwy+zSJy9GAq3RVOtuZur2YiBtyKvGuil0A2eWMH5z8HrUg9oGdK GZ77G+JTWa+Oxk9jb90ZfW9Rd3Jh6MqR2SdukknxdQZteHDcrXtUkT2XXhRr+MIL6aI+ wFxSuntDKCVv69O3DD3Pi7oU+Yn3AyhrDwax+AIuJfD1bF9XM465gZTLovXwN/n1EGiZ 353NBRUCosF7hZ7gJ2K/xW5BOmZAwvArOOQhYa5DjPomJPVbvFWTLzARVtEnCPJaVGOa OVAg== X-Gm-Message-State: AOAM531nk0kwx3jujLbAM38wcWXKTfeUGBhLpevQXx+PTZUY6bnf1Hkf Mey54jmmYvFMkuzbd675rcb4JA== X-Google-Smtp-Source: ABdhPJyDdCH7kBGcDAaf55svTOs4FrH/0oEtzY2oPb1XFGfb9dMJOJHOnZ1x6JELh6d01qnrUV728Q== X-Received: by 2002:a65:468c:: with SMTP id h12mr15916127pgr.423.1629404908650; Thu, 19 Aug 2021 13:28:28 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id x14sm4439825pfa.127.2021.08.19.13.28.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Aug 2021 13:28:27 -0700 (PDT) From: Kees Cook To: netdev@vger.kernel.org Cc: Kees Cook , Saeed Mahameed , Leon Romanovsky , "David S. Miller" , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , linux-rdma@vger.kernel.org, bpf@vger.kernel.org, Stanislav Yakovlev , Kalle Valo , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/3] net/mlx5e: Avoid field-overflowing memcpy() Date: Thu, 19 Aug 2021 13:28:24 -0700 Message-Id: <20210819202825.3545692-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210819202825.3545692-1-keescook@chromium.org> References: <20210819202825.3545692-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5945; h=from:subject; bh=aAhXgOvjd8fFl6HHAOH2dNe1RpxfNiJeVAevXZn1G1s=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHr7os55xLZsomlfyqNbHN963vbWsu6lq/7sGdDVv bsZ6eIyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYR6+6AAKCRCJcvTf3G3AJt4zD/ sHmmUuEJhefcu1/BIWauiIG3HeHJeUZKq/wb8kvLmppRsA5tE5R8SCtTbNOLGdb5P1FZoq/2nSAtlB Jg3AjDzmiNAVMiF+TmElADQXKuoGQE4qy+GV4RXJEJZ8U03o4eHw0KWWg4elHpCA4WPUveev5SI5gW WrW9hq4yscbuASX4gRfrp8EuwinBveG0xhjB1TZh7qb4u8TAW5OOIovOFIzxYOz6A9Zb98Gx1Vu7ZN 3/BpRrAPSKgKoBB6yMWoLMCugPVDG0Cn4PQRUfW+KwNZDUsLpZube9hmCXe0Ujs/f0H97jfVvaX1bz 7hWcaE5rWoSBj63Uqom5NIHhwPjvg54h4KPCNDZ9KLmG0ToxwmqDhk7F798BIs7estEA2YpZTEsyOR +9tYFwDtPOb7EOG9e5Y8x/BswkIyutAAGkGMd9c9LUiHu5zV2nbF/yiPGECcAhVL8uldcIBzDwJPE9 goDkibmTjyrsaa4i4Vept+fpSjR3D7fg8nMtlneYdzSN9ZL+L8RofiQtRy+8aj/1/dJ/oFim9ddoBz e17OLMyoVP9lixwQZxCqQN4wH+9Cu3H2zsTeY7pVhBnqYpoXOB2WcWa2CoK8TV0dj8DEoTOPX1NwFi sfWnuW/PQPEQP7GSt52LOkvFLNkl5tPpWq5cqouM4sWlz9Q0n5dzRvYdx39w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use flexible arrays instead of zero-element arrays (which look like they are always overflowing) and split the cross-field memcpy() into two halves that can be appropriately bounds-checked by the compiler. We were doing: #define ETH_HLEN 14 #define VLAN_HLEN 4 ... #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN) ... struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi); ... struct mlx5_wqe_eth_seg *eseg = &wqe->eth; struct mlx5_wqe_data_seg *dseg = wqe->data; ... memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE); target is wqe->eth.inline_hdr.start (which the compiler sees as being 2 bytes in size), but copying 18, intending to write across start (really vlan_tci, 2 bytes). The remaining 16 bytes get written into wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr (8 bytes). struct mlx5e_tx_wqe { struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */ struct mlx5_wqe_eth_seg eth; /* 16 16 */ struct mlx5_wqe_data_seg data[]; /* 32 0 */ /* size: 32, cachelines: 1, members: 3 */ /* last cacheline: 32 bytes */ }; struct mlx5_wqe_eth_seg { u8 swp_outer_l4_offset; /* 0 1 */ u8 swp_outer_l3_offset; /* 1 1 */ u8 swp_inner_l4_offset; /* 2 1 */ u8 swp_inner_l3_offset; /* 3 1 */ u8 cs_flags; /* 4 1 */ u8 swp_flags; /* 5 1 */ __be16 mss; /* 6 2 */ __be32 flow_table_metadata; /* 8 4 */ union { struct { __be16 sz; /* 12 2 */ u8 start[2]; /* 14 2 */ } inline_hdr; /* 12 4 */ struct { __be16 type; /* 12 2 */ __be16 vlan_tci; /* 14 2 */ } insert; /* 12 4 */ __be32 trailer; /* 12 4 */ }; /* 12 4 */ /* size: 16, cachelines: 1, members: 9 */ /* last cacheline: 16 bytes */ }; struct mlx5_wqe_data_seg { __be32 byte_count; /* 0 4 */ __be32 lkey; /* 4 4 */ __be64 addr; /* 8 8 */ /* size: 16, cachelines: 1, members: 3 */ /* last cacheline: 16 bytes */ }; So, split the memcpy() so the compiler can reason about the buffer sizes. "pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations). Cc: Saeed Mahameed Cc: Leon Romanovsky Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Jesper Dangaard Brouer Cc: John Fastabend Cc: netdev@vger.kernel.org Cc: linux-rdma@vger.kernel.org Cc: bpf@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 ++-- drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h index 4f6897c1ea8d..8997476c20cc 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h @@ -200,7 +200,7 @@ static inline int mlx5e_get_max_num_channels(struct mlx5_core_dev *mdev) struct mlx5e_tx_wqe { struct mlx5_wqe_ctrl_seg ctrl; struct mlx5_wqe_eth_seg eth; - struct mlx5_wqe_data_seg data[0]; + struct mlx5_wqe_data_seg data[]; }; struct mlx5e_rx_wqe_ll { @@ -216,7 +216,7 @@ struct mlx5e_umr_wqe { struct mlx5_wqe_ctrl_seg ctrl; struct mlx5_wqe_umr_ctrl_seg uctrl; struct mlx5_mkey_seg mkc; - struct mlx5_mtt inline_mtts[0]; + struct mlx5_mtt inline_mtts[]; }; extern const char mlx5e_self_tests[][ETH_GSTRING_LEN]; diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c index 2f0df5cc1a2d..efae2444c26f 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c @@ -341,8 +341,10 @@ mlx5e_xmit_xdp_frame(struct mlx5e_xdpsq *sq, struct mlx5e_xmit_data *xdptxd, /* copy the inline part if required */ if (sq->min_inline_mode != MLX5_INLINE_MODE_NONE) { - memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE); + memcpy(eseg->inline_hdr.start, xdptxd->data, sizeof(eseg->inline_hdr.start)); eseg->inline_hdr.sz = cpu_to_be16(MLX5E_XDP_MIN_INLINE); + memcpy(dseg, xdptxd->data + sizeof(eseg->inline_hdr.start), + MLX5E_XDP_MIN_INLINE - sizeof(eseg->inline_hdr.start)); dma_len -= MLX5E_XDP_MIN_INLINE; dma_addr += MLX5E_XDP_MIN_INLINE; dseg++; From patchwork Thu Aug 19 20:28:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 500850 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D079C19F34 for ; Thu, 19 Aug 2021 20:28:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E85A9610FA for ; Thu, 19 Aug 2021 20:28:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235622AbhHSU3N (ORCPT ); Thu, 19 Aug 2021 16:29:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43068 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235388AbhHSU3H (ORCPT ); Thu, 19 Aug 2021 16:29:07 -0400 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E9F85C061575 for ; Thu, 19 Aug 2021 13:28:30 -0700 (PDT) Received: by mail-pg1-x530.google.com with SMTP id w8so6990085pgf.5 for ; Thu, 19 Aug 2021 13:28:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=AY970ncUJAZ3XFO8vIsQqriyIPN/r8JHpDac7fWieeM=; b=JiOahg/ViaSpfKrqajDr+bPpqkkEMMCWmqS0witZ52yCvG4QyGsLrR3/8WxzDtCmSC atLuuIlKBtncWTHLnU6dYw3k06uNjVq5FIUqXbeTbRD2/VMkRX+jusQN97pMMp3igHfu mjXawcyOL9Dj3+dwR+llvL4Y10vH+ykAj1szs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AY970ncUJAZ3XFO8vIsQqriyIPN/r8JHpDac7fWieeM=; b=ID1C7BcC9GN6f6pLETjay2EtMsbnrBLwCVHAISt7GSHApMUi+7t5mJzIBetB+z3bGl GHF1tZ+NyqZO2R5N8zwsEaVviJt8UOr2EHS/kCtneuH09QEF8T8ylc3Vn+uCDanl/4eh tvpoVOZR0bmAeMWYX9QGwBq/hVsaPObDlT1ipgF1Du93Ljopxzy3Ajwh+qEhoho30w7+ GuTk0UPfmTzE+Zce/Sht8mkfzOgoEFjFi7VoOvv6CKSX4B6TltX8iqEoHfbhNyGHRF2t Y6AmV2Ih873joo8e6wdV6MZ+VttWRG+k/FYarnKP4pJKyJ66wrYm3eGfZ2fz2OqNfOS0 zsJw== X-Gm-Message-State: AOAM530bL0oYiHrCwqXbPXHx2OaFwyaBcmQwliLjHSweJdp+s5frx1vo qZeer31pMoIMh+lvAHwU2ktfNw== X-Google-Smtp-Source: ABdhPJwjCCBMHmC0qQ12oG7q1UHwdleaKPunhS+7aNFDWE0hCV8jZut4eNWP2lM4oZLxr864oa3cbg== X-Received: by 2002:aa7:8f14:0:b0:3e1:3bdf:e4d3 with SMTP id x20-20020aa78f14000000b003e13bdfe4d3mr16062461pfr.39.1629404910503; Thu, 19 Aug 2021 13:28:30 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k9sm4175490pfu.109.2021.08.19.13.28.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Aug 2021 13:28:28 -0700 (PDT) From: Kees Cook To: netdev@vger.kernel.org Cc: Kees Cook , Kalle Valo , "David S. Miller" , Jakub Kicinski , linux-wireless@vger.kernel.org, Stanislav Yakovlev , Saeed Mahameed , Leon Romanovsky , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, bpf@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 3/3] pcmcia: ray_cs: Split memcpy() to avoid bounds check warning Date: Thu, 19 Aug 2021 13:28:25 -0700 Message-Id: <20210819202825.3545692-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210819202825.3545692-1-keescook@chromium.org> References: <20210819202825.3545692-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1806; h=from:subject; bh=MoN9sZmmdDw0lR5vW36Fdr39zzqTtcOilmLJ144gA30=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHr7peJZHHO3+hbAJbiz+YaA05/E7kfaAlhhB+qwX bgM8lUWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYR6+6QAKCRCJcvTf3G3AJi9QD/ 0QaLkaLVu3CB4Vqu8bN+qfuYpSMm6PxxQE8R5z6qCSKxIky/DHNca51HSawGz9H4bITJ1lu1VIFFif d87Or2FO7mpgrMwleO6RsmJmhInSfipAHOogtwZxSNikyS9XRH0fSg+OUaRARtx/6Ke9I154y7CFZP Vpzk6Pdr0D1A5uXYPZDlLMR1NmhL1MRXCJUA9GYr0ubFTwlJbMeljLfa/x+fIKXfrUSnzgh87ozL0m 0tTs7s9OmQFme/7kQp0B/aCtCybQjQixIGw7o04juRL026PYmJVzL0ddvl3Dp0yYNcuyQwgzyQ/wif aE8vrB4oIVXoTbXEeXhX+4XRUQOH/Fnfgx/a+ZsGaicm2kSqhAP0m9U9gcuTaR0y8HsP+OudoSTYog qRdqqAjhMVSi5erX8V9CyDYxEAfUAcbOuVHUFVDaU03Yt5rRjfN1BO+7trWH000k2Lvb39wNz2LN+W BgOuuAoHVIahN3VYvlNXNrTvx2H/r35t1a3SDaKWcTegKdEW+3DvaGtcTsxOD1AOVrADJwDhiMMXt4 P3RdipOMARGalw0WLktYJF5w8DuvrKyH+SkC3AbjVf391u2ttjtbUn6KZzotbvoUWrci7LyXxxytjl I/of6t8C9xadVL3opjJZc0cLYsYbkxo0UlHk4gs3tOZmnXPux7dx+r7yDVag== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Split memcpy() for each address range to help memcpy() correctly reason about the bounds checking. Avoids the future warning: In function 'fortify_memcpy_chk', inlined from 'memcpy_toio' at ./include/asm-generic/io.h:1204:2, inlined from 'ray_build_header.constprop' at drivers/net/wireless/ray_cs.c:984:3: ./include/linux/fortify-string.h:285:4: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] 285 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cc: Kalle Valo Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/ray_cs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c index 590bd974d94f..d57bbe551630 100644 --- a/drivers/net/wireless/ray_cs.c +++ b/drivers/net/wireless/ray_cs.c @@ -982,7 +982,9 @@ AP to AP 1 1 dest AP src AP dest source if (local->net_type == ADHOC) { writeb(0, &ptx->mac.frame_ctl_2); memcpy_toio(ptx->mac.addr_1, ((struct ethhdr *)data)->h_dest, - 2 * ADDRLEN); + ADDRLEN); + memcpy_toio(ptx->mac.addr_2, ((struct ethhdr *)data)->h_source, + ADDRLEN); memcpy_toio(ptx->mac.addr_3, local->bss_id, ADDRLEN); } else { /* infrastructure */