diff mbox series

wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1()

Message ID 20230729140500.27892-1-hdegoede@redhat.com
State New
Headers show
Series wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() | expand

Commit Message

Hans de Goede July 29, 2023, 2:05 p.m. UTC
Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
a backtrace caused by the following field-spanning error:

memcpy: detected field-spanning write (size 120) of single field
  "&params_le->channel_list[0]" at
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)

Fix this by replacing the channel_list[1] declaration at the end of
the struct with a flexible array declaration.

Most users of struct brcmf_scan_params_le calculate the size to alloc
using the size of the non flex-array part of the struct + needed extra
space, so they do not care about sizeof(struct brcmf_scan_params_le).

brcmf_notify_escan_complete() however uses the struct on the stack,
expecting there to be room for at least 1 entry in the channel-list
to store the special -1 abort channel-id.

To make this work use an anonymous union with a padding member
added + the actual channel_list flexible array.

Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 .../net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Kees Cook July 31, 2023, 11:06 p.m. UTC | #1
On Sat, Jul 29, 2023 at 04:05:00PM +0200, Hans de Goede wrote:
> Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
> a backtrace caused by the following field-spanning error:
> 
> memcpy: detected field-spanning write (size 120) of single field
>   "&params_le->channel_list[0]" at
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
> 
> Fix this by replacing the channel_list[1] declaration at the end of
> the struct with a flexible array declaration.
> 
> Most users of struct brcmf_scan_params_le calculate the size to alloc
> using the size of the non flex-array part of the struct + needed extra
> space, so they do not care about sizeof(struct brcmf_scan_params_le).
> 
> brcmf_notify_escan_complete() however uses the struct on the stack,
> expecting there to be room for at least 1 entry in the channel-list
> to store the special -1 abort channel-id.
> 
> To make this work use an anonymous union with a padding member
> added + the actual channel_list flexible array.
> 
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Looks good to me; it's consistent with how similar 1-element arrays
with sensitive structure sizes have been updated lately. Thanks for
the investigation!

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees
Kalle Valo Aug. 1, 2023, 2:37 p.m. UTC | #2
Hans de Goede <hdegoede@redhat.com> wrote:

> Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
> a backtrace caused by the following field-spanning error:
> 
> memcpy: detected field-spanning write (size 120) of single field
>   "&params_le->channel_list[0]" at
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
> 
> Fix this by replacing the channel_list[1] declaration at the end of
> the struct with a flexible array declaration.
> 
> Most users of struct brcmf_scan_params_le calculate the size to alloc
> using the size of the non flex-array part of the struct + needed extra
> space, so they do not care about sizeof(struct brcmf_scan_params_le).
> 
> brcmf_notify_escan_complete() however uses the struct on the stack,
> expecting there to be room for at least 1 entry in the channel-list
> to store the special -1 abort channel-id.
> 
> To make this work use an anonymous union with a padding member
> added + the actual channel_list flexible array.
> 
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>

Does the driver still work even if this warning is printed? I'm wondering
should I take this to wireless or wireless-next. Also a review from Broadcom
would be really good.

What about a Fixes tag?
Hans de Goede Aug. 1, 2023, 2:47 p.m. UTC | #3
Hi,

On 8/1/23 16:37, Kalle Valo wrote:
> Hans de Goede <hdegoede@redhat.com> wrote:
> 
>> Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
>> a backtrace caused by the following field-spanning error:
>>
>> memcpy: detected field-spanning write (size 120) of single field
>>   "&params_le->channel_list[0]" at
>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
>>
>> Fix this by replacing the channel_list[1] declaration at the end of
>> the struct with a flexible array declaration.
>>
>> Most users of struct brcmf_scan_params_le calculate the size to alloc
>> using the size of the non flex-array part of the struct + needed extra
>> space, so they do not care about sizeof(struct brcmf_scan_params_le).
>>
>> brcmf_notify_escan_complete() however uses the struct on the stack,
>> expecting there to be room for at least 1 entry in the channel-list
>> to store the special -1 abort channel-id.
>>
>> To make this work use an anonymous union with a padding member
>> added + the actual channel_list flexible array.
>>
>> Cc: Kees Cook <keescook@chromium.org>
>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>> Reviewed-by: Kees Cook <keescook@chromium.org>
> 
> Does the driver still work even if this warning is printed? I'm wondering
> should I take this to wireless or wireless-next. Also a review from Broadcom
> would be really good.

It works fine, but it logs an oops / backtrace.

Note I did test the patch on a device where the warning was triggered and the warning is gone and wifi association still works.

So there is a slight preference to get this as a fix into 6.5 from my side.

> What about a Fixes tag? 

This is caused by the new field-spanning wtire checks enabled recently, so there is not really a brcmfmac commit to point to as the culprit.

Regards,

Hans
Kalle Valo Aug. 1, 2023, 2:55 p.m. UTC | #4
Hans de Goede <hdegoede@redhat.com> writes:

> Hi,
>
> On 8/1/23 16:37, Kalle Valo wrote:
>> Hans de Goede <hdegoede@redhat.com> wrote:
>> 
>>> Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
>>> a backtrace caused by the following field-spanning error:
>>>
>>> memcpy: detected field-spanning write (size 120) of single field
>>>   "&params_le->channel_list[0]" at
>>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
>>>
>>> Fix this by replacing the channel_list[1] declaration at the end of
>>> the struct with a flexible array declaration.
>>>
>>> Most users of struct brcmf_scan_params_le calculate the size to alloc
>>> using the size of the non flex-array part of the struct + needed extra
>>> space, so they do not care about sizeof(struct brcmf_scan_params_le).
>>>
>>> brcmf_notify_escan_complete() however uses the struct on the stack,
>>> expecting there to be room for at least 1 entry in the channel-list
>>> to store the special -1 abort channel-id.
>>>
>>> To make this work use an anonymous union with a padding member
>>> added + the actual channel_list flexible array.
>>>
>>> Cc: Kees Cook <keescook@chromium.org>
>>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>>> Reviewed-by: Kees Cook <keescook@chromium.org>
>> 
>> Does the driver still work even if this warning is printed? I'm wondering
>> should I take this to wireless or wireless-next. Also a review from Broadcom
>> would be really good.
>
> It works fine, but it logs an oops / backtrace.

I'll add that info to the commit log.

> Note I did test the patch on a device where the warning was triggered
> and the warning is gone and wifi association still works.
>
> So there is a slight preference to get this as a fix into 6.5 from my side.

I'll queue this wireless then. But I really would like to Broadcom take
a look at this in case we are missing something.

>> What about a Fixes tag? 
>
> This is caused by the new field-spanning wtire checks enabled
> recently, so there is not really a brcmfmac commit to point to as the
> culprit.

Ok.
Franky Lin Aug. 1, 2023, 11:54 p.m. UTC | #5
On Tue, Aug 1, 2023 at 7:55 AM Kalle Valo <kvalo@kernel.org> wrote:
>
> Hans de Goede <hdegoede@redhat.com> writes:
>
> > Hi,
> >
> > On 8/1/23 16:37, Kalle Valo wrote:
> >> Hans de Goede <hdegoede@redhat.com> wrote:
> >>
> >>> Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
> >>> a backtrace caused by the following field-spanning error:
> >>>
> >>> memcpy: detected field-spanning write (size 120) of single field
> >>>   "&params_le->channel_list[0]" at
> >>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
> >>>
> >>> Fix this by replacing the channel_list[1] declaration at the end of
> >>> the struct with a flexible array declaration.
> >>>
> >>> Most users of struct brcmf_scan_params_le calculate the size to alloc
> >>> using the size of the non flex-array part of the struct + needed extra
> >>> space, so they do not care about sizeof(struct brcmf_scan_params_le).
> >>>
> >>> brcmf_notify_escan_complete() however uses the struct on the stack,
> >>> expecting there to be room for at least 1 entry in the channel-list
> >>> to store the special -1 abort channel-id.
> >>>
> >>> To make this work use an anonymous union with a padding member
> >>> added + the actual channel_list flexible array.
> >>>
> >>> Cc: Kees Cook <keescook@chromium.org>
> >>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> >>> Reviewed-by: Kees Cook <keescook@chromium.org>

Looks good to me, thanks for taking care of it.

Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Kalle Valo Aug. 2, 2023, 10:35 a.m. UTC | #6
Hans de Goede <hdegoede@redhat.com> wrote:

> Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
> a backtrace caused by the following field-spanning warning:
> 
> memcpy: detected field-spanning write (size 120) of single field
>   "&params_le->channel_list[0]" at
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
> 
> The driver still works after this warning. The warning was introduced by the
> new field-spanning write checks which were enabled recently.
> 
> Fix this by replacing the channel_list[1] declaration at the end of
> the struct with a flexible array declaration.
> 
> Most users of struct brcmf_scan_params_le calculate the size to alloc
> using the size of the non flex-array part of the struct + needed extra
> space, so they do not care about sizeof(struct brcmf_scan_params_le).
> 
> brcmf_notify_escan_complete() however uses the struct on the stack,
> expecting there to be room for at least 1 entry in the channel-list
> to store the special -1 abort channel-id.
> 
> To make this work use an anonymous union with a padding member
> added + the actual channel_list flexible array.
> 
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: Franky Lin <franky.lin@broadcom.com>

Patch applied to wireless.git, thanks.

16e455a465fc wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1()
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
index 792adaf880b4..bece26741d3a 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
@@ -398,7 +398,12 @@  struct brcmf_scan_params_le {
 				 * fixed parameter portion is assumed, otherwise
 				 * ssid in the fixed portion is ignored
 				 */
-	__le16 channel_list[1];	/* list of chanspecs */
+	union {
+		__le16 padding;	/* Reserve space for at least 1 entry for abort
+				 * which uses an on stack brcmf_scan_params_le
+				 */
+		DECLARE_FLEX_ARRAY(__le16, channel_list);	/* chanspecs */
+	};
 };
 
 struct brcmf_scan_params_v2_le {