1. 08 Aug, 2023 5 commits
  2. 02 Aug, 2023 1 commit
    • Hans de Goede's avatar
      wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() · 16e455a4
      Hans de Goede authored
      Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
      a backtrace caused by the following field-spanning warning:
      
      memcpy: detected field-spanning write (size 120) of single field
        "&params_le->channel_list[0]" at
        drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
      
      The driver still works after this warning. The warning was introduced by the
      new field-spanning write checks which were enabled recently.
      
      Fix this by replacing the channel_list[1] declaration at the end of
      the struct with a flexible array declaration.
      
      Most users of struct brcmf_scan_params_le calculate the size to alloc
      using the size of the non flex-array part of the struct + needed extra
      space, so they do not care about sizeof(struct brcmf_scan_params_le).
      
      brcmf_notify_escan_complete() however uses the struct on the stack,
      expecting there to be room for at least 1 entry in the channel-list
      to store the special -1 abort channel-id.
      
      To make this work use an anonymous union with a padding member
      added + the actual channel_list flexible array.
      
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20230729140500.27892-1-hdegoede@redhat.com
      16e455a4
  3. 01 Aug, 2023 1 commit
    • Kees Cook's avatar
      wifi: ray_cs: Replace 1-element array with flexible array · 1d7dd5aa
      Kees Cook authored
      The trailing array member of struct tx_buf was defined as a 1-element
      array, but used as a flexible array. This was resulting in build warnings:
      
          In function 'fortify_memset_chk',
              inlined from 'memset_io' at /kisskb/src/arch/mips/include/asm/io.h:486:2,
              inlined from 'build_auth_frame' at /kisskb/src/drivers/net/wireless/legacy/ray_cs.c:2697:2:
          /kisskb/src/include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning:
      detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
            493 |                         __write_overflow_field(p_size_field, size);
                |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Replace it with an actual flexible array. Binary difference comparison
      shows a single change in output:
      
      │  drivers/net/wireless/legacy/ray_cs.c:883
      │       lea    0x1c(%rbp),%r13d
      │ -     cmp    $0x7c3,%r13d
      │ +     cmp    $0x7c4,%r13d
      
      This is from:
      
              if (len + TX_HEADER_LENGTH > TX_BUF_SIZE) {
      
      specifically:
      
       #define TX_BUF_SIZE (2048 - sizeof(struct tx_msg))
      
      This appears to have been originally buggy, so the change is correct.
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Closes: https://lore.kernel.org/all/88f83d73-781d-bdc-126-aa629cb368c@linux-m68k.org
      Cc: Kalle Valo <kvalo@kernel.org>
      Cc: linux-wireless@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20230728231245.never.309-kees@kernel.org
      1d7dd5aa
  4. 26 Jul, 2023 13 commits
  5. 24 Jul, 2023 2 commits
  6. 20 Jul, 2023 10 commits
  7. 19 Jul, 2023 8 commits