[10/64] lib80211: Use struct_group() for memcpy() region

Message ID	20210727205855.411487-11-keescook@chromium.org
State	New
Headers	show Return-Path: <netdev-owner@kernel.org> From: Kees Cook <keescook@chromium.org> To: linux-hardening@vger.kernel.org Cc: Kees Cook <keescook@chromium.org>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, Keith Packard <keithpac@amazon.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Andrew Morton <akpm@linux-foundation.org>, linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-staging@lists.linux.dev, linux-block@vger.kernel.org, linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com Subject: [PATCH 10/64] lib80211: Use struct_group() for memcpy() region Date: Tue, 27 Jul 2021 13:58:01 -0700 Message-Id: <20210727205855.411487-11-keescook@chromium.org> In-Reply-To: <20210727205855.411487-1-keescook@chromium.org> References: <20210727205855.411487-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Introduce strict memcpy() bounds checking \| expand [00/64] Introduce strict memcpy() bounds checking [01/64] media: omap3isp: Extract struct group for memcpy() region [02/64] mac80211: Use flex-array for radiotap header bitmap [03/64] rpmsg: glink: Replace strncpy() with strscpy_pad() [04/64] stddef: Introduce struct_group() helper macro [05/64] skbuff: Switch structure bounds to struct_group() [06/64] bnxt_en: Use struct_group_attr() for memcpy() region [07/64] staging: rtl8192e: Use struct_group() for memcpy() region [08/64] staging: rtl8192u: Use struct_group() for memcpy() region [09/64] staging: rtl8723bs: Avoid field-overflowing memcpy() [10/64] lib80211: Use struct_group() for memcpy() region [11/64] net/mlx5e: Avoid field-overflowing memcpy() [12/64] mwl8k: Use struct_group() for memcpy() region [13/64] libertas: Use struct_group() for memcpy() region [14/64] libertas_tf: Use struct_group() for memcpy() region [15/64] ipw2x00: Use struct_group() for memcpy() region [16/64] thermal: intel: int340x_thermal: Use struct_group() for memcpy() region [17/64] iommu/amd: Use struct_group() for memcpy() region [18/64] cxgb3: Use struct_group() for memcpy() region [19/64] ip: Use struct_group() for memcpy() regions [20/64] intersil: Use struct_group() for memcpy() region [21/64] cxgb4: Use struct_group() for memcpy() region [22/64] bnx2x: Use struct_group() for memcpy() region [23/64] drm/amd/pm: Use struct_group() for memcpy() region [24/64] staging: wlan-ng: Use struct_group() for memcpy() region [25/64] drm/mga/mga_ioc32: Use struct_group() for memcpy() region [26/64] net/mlx5e: Use struct_group() for memcpy() region [27/64] HID: cp2112: Use struct_group() for memcpy() region [28/64] compiler_types.h: Remove __compiletime_object_size() [29/64] lib/string: Move helper functions out of string.c [30/64] fortify: Move remaining fortify helpers into fortify-string.h [31/64] fortify: Explicitly disable Clang support [32/64] fortify: Add compile-time FORTIFY_SOURCE tests [33/64] lib: Introduce CONFIG_TEST_MEMCPY [34/64] fortify: Detect struct member overflows in memcpy() at compile-time [35/64] fortify: Detect struct member overflows in memmove() at compile-time [36/64] scsi: ibmvscsi: Avoid multi-field memset() overflow by aiming at srp [37/64] string.h: Introduce memset_after() for wiping trailing members/padding [38/64] xfrm: Use memset_after() to clear padding [39/64] mac80211: Use memset_after() to clear tx status [40/64] net: 802: Use memset_after() to clear struct fields [41/64] net: dccp: Use memset_after() for TP zeroing [42/64] net: qede: Use memset_after() for counters [43/64] ath11k: Use memset_after() for clearing queue descriptors [44/64] iw_cxgb4: Use memset_after() for cpl_t5_pass_accept_rpl [45/64] intel_th: msu: Use memset_after() for clearing hw header [46/64] IB/mthca: Use memset_after() for clearing mpt_entry [47/64] btrfs: Use memset_after() to clear end of struct [48/64] drbd: Use struct_group() to zero algs [49/64] cm4000_cs: Use struct_group() to zero struct cm4000_dev region [50/64] KVM: x86: Use struct_group() to zero decode cache [51/64] tracing: Use struct_group() to zero struct trace_iterator [52/64] dm integrity: Use struct_group() to zero struct journal_sector [53/64] HID: roccat: Use struct_group() to zero kone_mouse_event [54/64] ipv6: Use struct_group() to zero rt6_info [55/64] RDMA/mlx5: Use struct_group() to zero struct mlx5_ib_mr [56/64] ethtool: stats: Use struct_group() to clear all stats at once [57/64] netfilter: conntrack: Use struct_group() to zero struct nf_conn [58/64] powerpc: Split memset() to avoid multi-field overflow [59/64] fortify: Detect struct member overflows in memset() at compile-time [60/64] fortify: Work around Clang inlining bugs [61/64] Makefile: Enable -Warray-bounds [62/64] netlink: Avoid false-positive memcpy() warning [63/64] iwlwifi: dbg_ini: Split memcpy() to avoid multi-field write [64/64] fortify: Add run-time WARN for cross-field memcpy()

Message ID

20210727205855.411487-11-keescook@chromium.org

State

New

Headers

From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	Keith Packard <keithpac@amazon.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
	netdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
	linux-staging@lists.linux.dev, linux-block@vger.kernel.org,
	linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com
Subject: [PATCH 10/64] lib80211: Use struct_group() for memcpy() region
Date: Tue, 27 Jul 2021 13:58:01 -0700
Message-Id: <20210727205855.411487-11-keescook@chromium.org>
In-Reply-To: <20210727205855.411487-1-keescook@chromium.org>
References: <20210727205855.411487-1-keescook@chromium.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Introduce strict memcpy() bounds checking | expand

Commit Message

Kees Cook July 27, 2021, 8:58 p.m. UTC

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.

Use struct_group() around members addr1, addr2, and addr3 in struct
ieee80211_hdr so they can be referenced together. This will allow memcpy()
and sizeof() to more easily reason about sizes, improve readability,
and avoid future warnings about writing beyond the end of addr1.

"pahole" shows no size nor member offset changes to struct ieee80211_hdr.
"objdump -d" shows no meaningful object code changes (i.e. only source
line number induced differences and optimizations).

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/staging/rtl8723bs/core/rtw_security.c | 5 +++--
 drivers/staging/rtl8723bs/core/rtw_xmit.c     | 5 +++--
 include/linux/ieee80211.h                     | 8 +++++---
 net/wireless/lib80211_crypt_ccmp.c            | 3 ++-
 4 files changed, 13 insertions(+), 8 deletions(-)

Comments

Johannes Berg Aug. 13, 2021, 7:44 p.m. UTC | #1

On Fri, 2021-08-13 at 08:49 -0700, Kees Cook wrote:
> 

> Ah! Yes, thanks for pointing this out. During earlier development I split

> the "cross-field write" changes from the "cross-field read" changes, and

> it looks like I missed moving lib80211_crypt_ccmp.c into that portion of

> the series (which I haven't posted nor finished -- it's lower priority

> than fixing the cross-field writes).


Oh, OK. I think all of this patch was cross-field read though.

Anyway, the patch itself is fine, just seems incomplete and somewhat
badly organised :)

johannes

diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/staging/rtl8723bs/core/rtw_security.c
index a99f439328f1..be7cf42855a1 100644
--- a/drivers/staging/rtl8723bs/core/rtw_security.c
+++ b/drivers/staging/rtl8723bs/core/rtw_security.c
@@ -1421,8 +1421,9 @@  u32 rtw_BIP_verify(struct adapter *padapter, u8 *precvframe)
 		ClearRetry(BIP_AAD);
 		ClearPwrMgt(BIP_AAD);
 		ClearMData(BIP_AAD);
-		/* conscruct AAD, copy address 1 to address 3 */
-		memcpy(BIP_AAD+2, pwlanhdr->addr1, 18);
+		/* conscruct AAD, copy address 1 through address 3 */
+		BUILD_BUG_ON(sizeof(pwlanhdr->addrs) != 3 * ETH_ALEN);
+		memcpy(BIP_AAD + 2, &pwlanhdr->addrs, 3 * ETH_ALEN);
 
 		if (omac1_aes_128(padapter->securitypriv.dot11wBIPKey[padapter->securitypriv.dot11wBIPKeyid].skey
 			, BIP_AAD, ori_len, mic))
diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index 79e4d7df1ef5..cb47db784130 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -1198,8 +1198,9 @@  s32 rtw_mgmt_xmitframe_coalesce(struct adapter *padapter, struct sk_buff *pkt, s
 		ClearRetry(BIP_AAD);
 		ClearPwrMgt(BIP_AAD);
 		ClearMData(BIP_AAD);
-		/* conscruct AAD, copy address 1 to address 3 */
-		memcpy(BIP_AAD+2, pwlanhdr->addr1, 18);
+		/* conscruct AAD, copy address 1 through address 3 */
+		BUILD_BUG_ON(sizeof(pwlanhdr->addrs) != 3 * ETH_ALEN);
+		memcpy(BIP_AAD + 2, &pwlanhdr->addrs, 3 * ETH_ALEN);
 		/* copy management fram body */
 		memcpy(BIP_AAD+BIP_AAD_SIZE, MGMT_body, frame_body_len);
 		/* calculate mic */
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index a6730072d13a..d7932b520aaf 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -297,9 +297,11 @@  static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2)
 struct ieee80211_hdr {
 	__le16 frame_control;
 	__le16 duration_id;
-	u8 addr1[ETH_ALEN];
-	u8 addr2[ETH_ALEN];
-	u8 addr3[ETH_ALEN];
+	struct_group(addrs,
+		u8 addr1[ETH_ALEN];
+		u8 addr2[ETH_ALEN];
+		u8 addr3[ETH_ALEN];
+	);
 	__le16 seq_ctrl;
 	u8 addr4[ETH_ALEN];
 } __packed __aligned(2);
diff --git a/net/wireless/lib80211_crypt_ccmp.c b/net/wireless/lib80211_crypt_ccmp.c
index 6a5f08f7491e..21d7c39bb394 100644
--- a/net/wireless/lib80211_crypt_ccmp.c
+++ b/net/wireless/lib80211_crypt_ccmp.c
@@ -136,7 +136,8 @@  static int ccmp_init_iv_and_aad(const struct ieee80211_hdr *hdr,
 	pos = (u8 *) hdr;
 	aad[0] = pos[0] & 0x8f;
 	aad[1] = pos[1] & 0xc7;
-	memcpy(aad + 2, hdr->addr1, 3 * ETH_ALEN);
+	BUILD_BUG_ON(sizeof(hdr->addrs) != 3 * ETH_ALEN);
+	memcpy(aad + 2, &hdr->addrs, ETH_ALEN);
 	pos = (u8 *) & hdr->seq_ctrl;
 	aad[20] = pos[0] & 0x0f;
 	aad[21] = 0;		/* all bits masked */

[10/64] lib80211: Use struct_group() for memcpy() region

Commit Message

Comments

Patch