Message ID | 20210421234337.GA127225@embeddedor |
---|---|
State | New |
Headers | show |
Series | [next] wireless: wext-spy: Fix out-of-bounds warning | expand |
On Wed, Apr 21, 2021 at 06:43:37PM -0500, Gustavo A. R. Silva wrote: > Fix the following out-of-bounds warning: > > net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds] > > The problem is that the original code is trying to copy data into a > couple of struct members adjacent to each other in a single call to > memcpy(). This causes a legitimate compiler warning because memcpy() > overruns the length of &threshold.low and &spydata->spy_thr_low. As > these are just a couple of members, fix this by copying each one of > them in separate calls to memcpy(). > > Also, while there, use sizeof(threshold.qual) instead of > sizeof(struct iw_quality)) in another call to memcpy() > above. > > This helps with the ongoing efforts to globally enable -Warray-bounds > and get us closer to being able to tighten the FORTIFY_SOURCE routines > on memcpy(). > > Link: https://github.com/KSPP/linux/issues/109 > Reported-by: kernel test robot <lkp@intel.com> > Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Thanks! Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > --- > net/wireless/wext-spy.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c > index 33bef22e44e9..bb2de7c6bee4 100644 > --- a/net/wireless/wext-spy.c > +++ b/net/wireless/wext-spy.c > @@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev, > return -EOPNOTSUPP; > > /* Just do it */ > - memcpy(&(spydata->spy_thr_low), &(threshold->low), > - 2 * sizeof(struct iw_quality)); > + memcpy(&spydata->spy_thr_low, &threshold->low, sizeof(threshold->low)); > + memcpy(&spydata->spy_thr_high, &threshold->high, sizeof(threshold->high)); > > /* Clear flag */ > memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under)); > @@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev, > memcpy(threshold.addr.sa_data, address, ETH_ALEN); > threshold.addr.sa_family = ARPHRD_ETHER; > /* Copy stats */ > - memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality)); > + memcpy(&threshold.qual, wstats, sizeof(threshold.qual)); > /* Copy also thresholds */ > - memcpy(&(threshold.low), &(spydata->spy_thr_low), > - 2 * sizeof(struct iw_quality)); > + memcpy(&threshold.low, &spydata->spy_thr_low, sizeof(threshold.low)); > + memcpy(&threshold.high, &spydata->spy_thr_high, sizeof(threshold.high)); > > /* Send event to user space */ > wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold); > -- > 2.27.0 >
On Wed, 2021-04-21 at 18:43 -0500, Gustavo A. R. Silva wrote: > > /* Just do it */ > - memcpy(&(spydata->spy_thr_low), &(threshold->low), > - 2 * sizeof(struct iw_quality)); > + memcpy(&spydata->spy_thr_low, &threshold->low, sizeof(threshold->low)); > + memcpy(&spydata->spy_thr_high, &threshold->high, sizeof(threshold->high)); > It would've been really simple to stick to 80 columns here (and everywhere in the patch), please do that. Also, why not just use struct assigments? spydata->spy_thr_low = threshold->low; etc. Seems far simpler (and shorter lines). johannes
On 4/22/21 02:04, Johannes Berg wrote: > On Wed, 2021-04-21 at 18:43 -0500, Gustavo A. R. Silva wrote: >> >> /* Just do it */ >> - memcpy(&(spydata->spy_thr_low), &(threshold->low), >> - 2 * sizeof(struct iw_quality)); >> + memcpy(&spydata->spy_thr_low, &threshold->low, sizeof(threshold->low)); >> + memcpy(&spydata->spy_thr_high, &threshold->high, sizeof(threshold->high)); >> > > It would've been really simple to stick to 80 columns here (and > everywhere in the patch), please do that. > > Also, why not just use struct assigments? > > spydata->spy_thr_low = threshold->low; > > etc. > Done: https://lore.kernel.org/lkml/20210422200032.GA168995@embeddedor/ > Seems far simpler (and shorter lines). Done: https://lore.kernel.org/lkml/20210422200032.GA168995@embeddedor/ Thanks for the feedback. -- Gustavo
diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c index 33bef22e44e9..bb2de7c6bee4 100644 --- a/net/wireless/wext-spy.c +++ b/net/wireless/wext-spy.c @@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev, return -EOPNOTSUPP; /* Just do it */ - memcpy(&(spydata->spy_thr_low), &(threshold->low), - 2 * sizeof(struct iw_quality)); + memcpy(&spydata->spy_thr_low, &threshold->low, sizeof(threshold->low)); + memcpy(&spydata->spy_thr_high, &threshold->high, sizeof(threshold->high)); /* Clear flag */ memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under)); @@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev, memcpy(threshold.addr.sa_data, address, ETH_ALEN); threshold.addr.sa_family = ARPHRD_ETHER; /* Copy stats */ - memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality)); + memcpy(&threshold.qual, wstats, sizeof(threshold.qual)); /* Copy also thresholds */ - memcpy(&(threshold.low), &(spydata->spy_thr_low), - 2 * sizeof(struct iw_quality)); + memcpy(&threshold.low, &spydata->spy_thr_low, sizeof(threshold.low)); + memcpy(&threshold.high, &spydata->spy_thr_high, sizeof(threshold.high)); /* Send event to user space */ wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold);
Fix the following out-of-bounds warning: net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds] The problem is that the original code is trying to copy data into a couple of struct members adjacent to each other in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &threshold.low and &spydata->spy_thr_low. As these are just a couple of members, fix this by copying each one of them in separate calls to memcpy(). Also, while there, use sizeof(threshold.qual) instead of sizeof(struct iw_quality)) in another call to memcpy() above. This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- net/wireless/wext-spy.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)