From patchwork Wed Feb 23 02:38:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 545563 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40312C433F5 for ; Wed, 23 Feb 2022 02:33:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234500AbiBWCeJ (ORCPT ); Tue, 22 Feb 2022 21:34:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44094 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237233AbiBWCcl (ORCPT ); Tue, 22 Feb 2022 21:32:41 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD9DA5A5B8; Tue, 22 Feb 2022 18:30:38 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 51324B81E15; Wed, 23 Feb 2022 02:30:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 563D1C340F1; Wed, 23 Feb 2022 02:30:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645583437; bh=5J/lYOlg+fnmxcJ6RZWQwnyehKvMIl8d1ncoQiQ9fcw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=l5XjhmXsJFytYXELA4i2ZwCcGg+xyPVOUOmnnsbNJQ341mu1a0oVQivPUKHALanHC mpVNPFyLG4OiYCzy8Nf3m8am4Xm+5NCM/Y32QDMo02QsTh5ygKLaJdZK3iv5ikJl9h 68RSNY4/+tfWZ2IIoOCbVxU2a/wdr35rKdHztRXsPeGgTtxP9YwbtKTlEOyHQgE3v2 AzS4tXqV3OeSgLE69yzpYmRC7sOdujBNcVhxVF3b9zpsqm5fl04oGy1E4D+xwmD+nw L05CUHVP7AjL5m7TchcP9uU4Cd0vgWHFVvYh3dmGPnxiJI1Ez3IOSwl2JZd2FEOk+r Jt36jNXVXUPpw== Date: Tue, 22 Feb 2022 20:38:31 -0600 From: "Gustavo A. R. Silva" To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kalle Valo , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 1/6][next] ath6kl: wmi: Replace one-element array with flexible-array member in struct wmi_begin_scan_cmd Message-ID: References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Replace one-element array with flexible-array member in struct wmi_begin_scan_cmd. Also, make use of the struct_size() helper. This issue was found with the help of Coccinelle and audited and fixed, manually. Link: https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays Link: https://github.com/KSPP/linux/issues/79 Signed-off-by: Gustavo A. R. Silva --- drivers/net/wireless/ath/ath6kl/wmi.c | 9 ++------- drivers/net/wireless/ath/ath6kl/wmi.h | 2 +- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c index bd1ef6334997..e1c950014f3e 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.c +++ b/drivers/net/wireless/ath/ath6kl/wmi.c @@ -2008,7 +2008,7 @@ int ath6kl_wmi_beginscan_cmd(struct wmi *wmi, u8 if_idx, struct ieee80211_supported_band *sband; struct sk_buff *skb; struct wmi_begin_scan_cmd *sc; - s8 size, *supp_rates; + s8 *supp_rates; int i, band, ret; struct ath6kl *ar = wmi->parent_dev; int num_rates; @@ -2023,18 +2023,13 @@ int ath6kl_wmi_beginscan_cmd(struct wmi *wmi, u8 if_idx, num_chan, ch_list); } - size = sizeof(struct wmi_begin_scan_cmd); - if ((scan_type != WMI_LONG_SCAN) && (scan_type != WMI_SHORT_SCAN)) return -EINVAL; if (num_chan > WMI_MAX_CHANNELS) return -EINVAL; - if (num_chan) - size += sizeof(u16) * (num_chan - 1); - - skb = ath6kl_wmi_get_new_buf(size); + skb = ath6kl_wmi_get_new_buf(struct_size(sc, ch_list, num_chan)); if (!skb) return -ENOMEM; diff --git a/drivers/net/wireless/ath/ath6kl/wmi.h b/drivers/net/wireless/ath/ath6kl/wmi.h index 784940ba4c90..322539ed9c12 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.h +++ b/drivers/net/wireless/ath/ath6kl/wmi.h @@ -863,7 +863,7 @@ struct wmi_begin_scan_cmd { u8 num_ch; /* channels in Mhz */ - __le16 ch_list[1]; + __le16 ch_list[]; } __packed; /* wmi_start_scan_cmd is to be deprecated. Use From patchwork Wed Feb 23 02:38:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 545561 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE648C43219 for ; Wed, 23 Feb 2022 02:33:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231725AbiBWCeT (ORCPT ); Tue, 22 Feb 2022 21:34:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237335AbiBWCc5 (ORCPT ); Tue, 22 Feb 2022 21:32:57 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA73A5838B; Tue, 22 Feb 2022 18:30:49 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 30C81B81E0D; Wed, 23 Feb 2022 02:30:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 40669C340F1; Wed, 23 Feb 2022 02:30:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645583447; bh=84NzthgNnggRukjxvstPsXLf6qk4EW6yOe7lHrtHxx0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=TWv0ro/9xn6xSlMZJgb4RV1cw3oqjLzuCs6xkxP9G/AvZ7cHpd42u+8dGcuJQ1oDF Vx78JVqr0lNfeSew2fveDUP+7d29/zLve+3tEcqzoS/hFnX/j1vqm5756VmLxMUhXB mzZjAFuUEcqAFVj9I7QRNSSH+hfdxqGOKlbnY4enCBg07/QZEuee3fUQO0X7vsLtfT uPYq1k0mNK95F0G9oLPPFSiV153zxjY5pF16rKBANM/ZvzWb6pI9pY4HQgiFl4mer0 PEowR1PrAX852KxMR9wmV9zFhhKNhY5/93BNkWW/KhJ0Dhdko7DnqGGY2fntZiZk6B 6ERGLGdcgPy1A== Date: Tue, 22 Feb 2022 20:38:41 -0600 From: "Gustavo A. R. Silva" To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kalle Valo , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 2/6][next] ath6kl: wmi: Replace one-element array with flexible-array member in struct wmi_start_scan_cmd Message-ID: References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Replace one-element array with flexible-array member in struct wmi_start_scan_cmd. Also, make use of the struct_size() helper. This issue was found with the help of Coccinelle and audited and fixed, manually. Link: https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays Link: https://github.com/KSPP/linux/issues/79 Signed-off-by: Gustavo A. R. Silva --- drivers/net/wireless/ath/ath6kl/wmi.c | 8 +------- drivers/net/wireless/ath/ath6kl/wmi.h | 2 +- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c index e1c950014f3e..bdfc057c5a82 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.c +++ b/drivers/net/wireless/ath/ath6kl/wmi.c @@ -1959,21 +1959,15 @@ static int ath6kl_wmi_startscan_cmd(struct wmi *wmi, u8 if_idx, { struct sk_buff *skb; struct wmi_start_scan_cmd *sc; - s8 size; int i, ret; - size = sizeof(struct wmi_start_scan_cmd); - if ((scan_type != WMI_LONG_SCAN) && (scan_type != WMI_SHORT_SCAN)) return -EINVAL; if (num_chan > WMI_MAX_CHANNELS) return -EINVAL; - if (num_chan) - size += sizeof(u16) * (num_chan - 1); - - skb = ath6kl_wmi_get_new_buf(size); + skb = ath6kl_wmi_get_new_buf(struct_size(sc, ch_list, num_chan)); if (!skb) return -ENOMEM; diff --git a/drivers/net/wireless/ath/ath6kl/wmi.h b/drivers/net/wireless/ath/ath6kl/wmi.h index 322539ed9c12..9e168752bec2 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.h +++ b/drivers/net/wireless/ath/ath6kl/wmi.h @@ -889,7 +889,7 @@ struct wmi_start_scan_cmd { u8 num_ch; /* channels in Mhz */ - __le16 ch_list[1]; + __le16 ch_list[]; } __packed; /* From patchwork Wed Feb 23 02:38:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 545564 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4ACBC433F5 for ; Wed, 23 Feb 2022 02:33:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237317AbiBWCeG (ORCPT ); Tue, 22 Feb 2022 21:34:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237420AbiBWCdE (ORCPT ); Tue, 22 Feb 2022 21:33:04 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3443354BEF; Tue, 22 Feb 2022 18:31:00 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D436AB81DD2; Wed, 23 Feb 2022 02:30:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB55AC340F1; Wed, 23 Feb 2022 02:30:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645583455; bh=H9zXEc7xajyp0WNLmUqmywqLWj4AFxabUZT7J4ZwI44=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=pO9XXYnrCCqQPomdmANKP8O9qxTbnjx61E+exDu2XW+tnjbuSvKAKWseHRJRMhU8t 5+R5p/2OSuPBl7aTHW60WkNbnttWsgGC4mojnWOP99ZEV05EA187xYchv1l1VQ+ltU MsZ64e1DKkJZY//dOFdOlnMKrG7ulpalLxc/OlNKjBC39NVFlFpZCVq1qlkxx6MfB8 wK18E7iOXvEvB2dLkSwNLYrPwhDTxkJmOA16rguBlXYHzT8yiGMV29dLWUNcZ5Xl19 HX6C373RMnIPZ8jRkGH81+EYY2j2i17PVgRs6rpYgBgK4E3Dw7GTf+tMUr95P5iFP/ KS8HBWNzjzQ4Q== Date: Tue, 22 Feb 2022 20:38:50 -0600 From: "Gustavo A. R. Silva" To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kalle Valo , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 3/6][next] ath6kl: wmi: Replace one-element array with flexible-array member in struct wmi_channel_list_reply Message-ID: <30306253b1b5e6b8f5c0faba97e935eda4638020.1645583264.git.gustavoars@kernel.org> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Replace one-element array with flexible-array member in struct wmi_channel_list_reply. It's also worth noting that due to the flexible array transformation, the size of struct wmi_channel_list_reply changed, see below. Before flex-array transformation: struct wmi_channel_list_reply { u8 reserved; /* 0 1 */ u8 num_ch; /* 1 1 */ __le16 ch_list[1]; /* 2 2 */ /* size: 4, cachelines: 1, members: 3 */ /* last cacheline: 4 bytes */ }; After flex-array transformation: struct wmi_channel_list_reply { u8 reserved; /* 0 1 */ u8 num_ch; /* 1 1 */ __le16 ch_list[]; /* 2 0 */ /* size: 2, cachelines: 1, members: 3 */ /* last cacheline: 2 bytes */ }; So, the following change preserves the logic that if _len_ is at least 4 bytes in size, this is the existence of at least one channel in ch_list[] is being considered, then the execution jumps to call ath6kl_wakeup_event(wmi->parent_dev);, otherwise _len_ is 2 bytes or less and the code returns -EINVAL: - if (len < sizeof(struct wmi_channel_list_reply)) + if (len <= sizeof(struct wmi_channel_list_reply)) This issue was found with the help of Coccinelle and audited and fixed, manually. Link: https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays Link: https://github.com/KSPP/linux/issues/79 Signed-off-by: Gustavo A. R. Silva --- Hi! It'd be great if someone can confirm or comment on the following changes described in the changelog text: - if (len < sizeof(struct wmi_channel_list_reply)) + if (len <= sizeof(struct wmi_channel_list_reply)) Thanks drivers/net/wireless/ath/ath6kl/wmi.c | 2 +- drivers/net/wireless/ath/ath6kl/wmi.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c index bdfc057c5a82..049d75f31f3c 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.c +++ b/drivers/net/wireless/ath/ath6kl/wmi.c @@ -1240,7 +1240,7 @@ static int ath6kl_wmi_ratemask_reply_rx(struct wmi *wmi, u8 *datap, int len) static int ath6kl_wmi_ch_list_reply_rx(struct wmi *wmi, u8 *datap, int len) { - if (len < sizeof(struct wmi_channel_list_reply)) + if (len <= sizeof(struct wmi_channel_list_reply)) return -EINVAL; ath6kl_wakeup_event(wmi->parent_dev); diff --git a/drivers/net/wireless/ath/ath6kl/wmi.h b/drivers/net/wireless/ath/ath6kl/wmi.h index 9e168752bec2..432e4f428a4a 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.h +++ b/drivers/net/wireless/ath/ath6kl/wmi.h @@ -1373,7 +1373,7 @@ struct wmi_channel_list_reply { u8 num_ch; /* channel in Mhz */ - __le16 ch_list[1]; + __le16 ch_list[]; } __packed; /* List of Events (target to host) */ From patchwork Wed Feb 23 02:38:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 545562 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6EE6C433EF for ; Wed, 23 Feb 2022 02:33:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237186AbiBWCeP (ORCPT ); Tue, 22 Feb 2022 21:34:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43172 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237591AbiBWCdQ (ORCPT ); Tue, 22 Feb 2022 21:33:16 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70BE75E74E; Tue, 22 Feb 2022 18:31:20 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E63036157F; Wed, 23 Feb 2022 02:31:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8EFF3C340EB; Wed, 23 Feb 2022 02:31:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645583463; bh=TiTQiThEcjMtldsoXuGuzk5+IrynefCoac+K2A/X0ZQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FX8vOT9INRi15jmEHdaHjHRcT7R00ciDebJJCTKPl3ZURLX0k3t8KWFCp57YgRo0J Dmw9OalEKv7Cvgdy+58l+TRnmZuMHHwXFRn9rfNEEPlq1TshHsxEQLCJco7Zh5214S iZSUMKOuTqENBm+B9D840+pcfuDMjfBWFqx/hLO5aiFyeZcbN1mklHAG4WwwXGGrNQ Rp8vogO3oWdK52DWDd/dH7AsKtJ3hPtTzE9yKte5hkrOJSw1I4vfnnXf3CWLs4UFSu tfEj9URYhHmFo5S+5zagNG1Zr/+bdhc4nxwqzun0R1GD4YO6JoXfqsvbYe4ipdh1ai sGIxvJa9AN+JA== Date: Tue, 22 Feb 2022 20:38:57 -0600 From: "Gustavo A. R. Silva" To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kalle Valo , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 4/6][next] ath6kl: wmi: Replace one-element array with flexible-array member in struct wmi_connect_event Message-ID: <8a0e347615a3516980fd8b6ad2dc4864a880613b.1645583264.git.gustavoars@kernel.org> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Replace one-element array with flexible-array member in struct wmi_connect_event. It's also worth noting that due to the flexible array transformation, the size of struct wmi_connect_event changed (now the size is 1 byte smaller), and in order to preserve the logic of before the transformation, the following change is needed: - if (len < sizeof(struct wmi_connect_event)) + if (len <= sizeof(struct wmi_connect_event)) This issue was found with the help of Coccinelle and audited and fixed, manually. Link: https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays Link: https://github.com/KSPP/linux/issues/79 Signed-off-by: Gustavo A. R. Silva Reviewed-by: Jeff Johnson --- Hi! It'd be great if someone can confirm or comment on the following changes described in the changelog text: - if (len < sizeof(struct wmi_connect_event)) + if (len <= sizeof(struct wmi_connect_event)) Thanks drivers/net/wireless/ath/ath6kl/wmi.c | 2 +- drivers/net/wireless/ath/ath6kl/wmi.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c index 049d75f31f3c..ccdccead688e 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.c +++ b/drivers/net/wireless/ath/ath6kl/wmi.c @@ -857,7 +857,7 @@ static int ath6kl_wmi_connect_event_rx(struct wmi *wmi, u8 *datap, int len, struct wmi_connect_event *ev; u8 *pie, *peie; - if (len < sizeof(struct wmi_connect_event)) + if (len <= sizeof(struct wmi_connect_event)) return -EINVAL; ev = (struct wmi_connect_event *) datap; diff --git a/drivers/net/wireless/ath/ath6kl/wmi.h b/drivers/net/wireless/ath/ath6kl/wmi.h index 432e4f428a4a..6b064e669d87 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.h +++ b/drivers/net/wireless/ath/ath6kl/wmi.h @@ -1545,7 +1545,7 @@ struct wmi_connect_event { u8 beacon_ie_len; u8 assoc_req_len; u8 assoc_resp_len; - u8 assoc_info[1]; + u8 assoc_info[]; } __packed; /* Disconnect Event */ From patchwork Wed Feb 23 02:39:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 545565 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E0B3C433FE for ; Wed, 23 Feb 2022 02:33:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237324AbiBWCeB (ORCPT ); Tue, 22 Feb 2022 21:34:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237512AbiBWCdJ (ORCPT ); Tue, 22 Feb 2022 21:33:09 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E66275C875; Tue, 22 Feb 2022 18:31:11 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8DD3BB81CA7; Wed, 23 Feb 2022 02:31:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 99613C340EB; Wed, 23 Feb 2022 02:31:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645583470; bh=Gj0iWRHvzKvEEd9PMj+e/nxm3CPNPPbzzqd6+h5mdpk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=UkxdGCOA1BSb1FZYDeps3UPMw9Fz7KOUW5QYv/KW6HM3tGTQgvOb3/n+wW8gazf73 F6UodAknZm3e5kwiptyJfo4GuYjBwblbghw4rpe7vTTjw8hnbTcMJaff1RyHui3iXm NxURPCeB0tKlWSakzJUtEi+EFBYnB4fYVRn/wf2+1J8Rauf5vuXHAdXzpsG9QU3ssf 9R+ab3mKfDs0uX3uXnyxERRFJM61RB0WQWAohPMFF06dJk5i6InJg6CfDAvqhnwdcV scbbokgjg7ko5Egk+AgvvrYgjKXo1fqBFQ286jhFF/7GIG8FF+/p6MK9KomQRARttW xpHDCo6id22qw== Date: Tue, 22 Feb 2022 20:39:05 -0600 From: "Gustavo A. R. Silva" To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kalle Valo , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 5/6][next] ath6kl: wmi: Replace one-element array with flexible-array member in struct wmi_disconnect_event Message-ID: <4a42b591109202589cb1cf87df13daef02eb75f9.1645583264.git.gustavoars@kernel.org> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Replace one-element array with flexible-array member in struct wmi_disconnect_event. It's also worth noting that due to the flexible array transformation, the size of struct wmi_disconnect_event changed (now the size is 1 byte smaller), and in order to preserve the logic of before the transformation, the following change is needed: - if (len < sizeof(struct wmi_disconnect_event)) + if (len <= sizeof(struct wmi_disconnect_event)) This issue was found with the help of Coccinelle and audited and fixed, manually. Link: https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays Link: https://github.com/KSPP/linux/issues/79 Signed-off-by: Gustavo A. R. Silva --- Hi! It'd be great if someone can confirm or comment on the following changes described in the changelog text: - if (len < sizeof(struct wmi_disconnect_event)) + if (len <= sizeof(struct wmi_disconnect_event)) Thanks drivers/net/wireless/ath/ath6kl/wmi.c | 2 +- drivers/net/wireless/ath/ath6kl/wmi.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c index ccdccead688e..645fb6cae3be 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.c +++ b/drivers/net/wireless/ath/ath6kl/wmi.c @@ -1023,7 +1023,7 @@ static int ath6kl_wmi_disconnect_event_rx(struct wmi *wmi, u8 *datap, int len, struct wmi_disconnect_event *ev; wmi->traffic_class = 100; - if (len < sizeof(struct wmi_disconnect_event)) + if (len <= sizeof(struct wmi_disconnect_event)) return -EINVAL; ev = (struct wmi_disconnect_event *) datap; diff --git a/drivers/net/wireless/ath/ath6kl/wmi.h b/drivers/net/wireless/ath/ath6kl/wmi.h index 6b064e669d87..6a7fc07cd9aa 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.h +++ b/drivers/net/wireless/ath/ath6kl/wmi.h @@ -1596,7 +1596,7 @@ struct wmi_disconnect_event { u8 disconn_reason; u8 assoc_resp_len; - u8 assoc_info[1]; + u8 assoc_info[]; } __packed; /* From patchwork Wed Feb 23 02:39:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 545877 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01777C433FE for ; Wed, 23 Feb 2022 02:33:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237229AbiBWCeR (ORCPT ); Tue, 22 Feb 2022 21:34:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43410 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237581AbiBWCdP (ORCPT ); Tue, 22 Feb 2022 21:33:15 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04DC755499; Tue, 22 Feb 2022 18:31:19 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 962E6B81DD2; Wed, 23 Feb 2022 02:31:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7E28BC340EB; Wed, 23 Feb 2022 02:31:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645583477; bh=b4fg9t+rSbYEnlrrD0PfvXHUsfVJWu2Xtp897/eWJBg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Jxmoj2CZYxA+OVt0dxFgPwPk1xHQXLNTX+kgiSqd95ArDpUICHRWVm39778T7thmd 7uBee3ECpqEZCNygF9cTUtPeNClyqd/5g3XjwUj+hxtst0lHzGRFAj+oyvuoATK7mz CLp2u3oGAvgHt6I+iFARqczW7Ha8ua9XJM9OsvuLoyLJ+O/xwxvzuB7/tn8kFtec4p e3svrFHfaZN+saF6QDWoVreAV6AkKuk6cNVIoqRxI+zWh0ES8HmvRkPNF1Skrhxdmt FUa1iuRrNynkXh06YzaysM9pzIKTayZC4NPh9pnvh0vLSgJls7/CqsY+Aog/JEVSJy TnvslMv0dp47Q== Date: Tue, 22 Feb 2022 20:39:11 -0600 From: "Gustavo A. R. Silva" To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kalle Valo , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-hardening@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 6/6][next] ath6kl: wmi: Replace one-element array with flexible-array member in struct wmi_aplist_event Message-ID: References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Replace one-element array with flexible-array member in struct wmi_aplist_event. It's also worth noting that due to the flexible array transformation, the size of struct wmi_aplist_event changed (now the size is 8-byte smaller), and in order to preserve the logic of before the transformation, the following change is needed: - if (len < sizeof(struct wmi_aplist_event)) + if (len <= sizeof(struct wmi_aplist_event)) sizeof(struct wmi_aplist_event) before the flex-array transformation: struct wmi_aplist_event { u8 ap_list_ver; /* 0 1 */ u8 num_ap; /* 1 1 */ union wmi_ap_info ap_list[1]; /* 2 8 */ /* size: 10, cachelines: 1, members: 3 */ /* last cacheline: 10 bytes */ }; sizeof(struct wmi_aplist_event) after the flex-array transformation: struct wmi_aplist_event { u8 ap_list_ver; /* 0 1 */ u8 num_ap; /* 1 1 */ union wmi_ap_info ap_list[]; /* 2 0 */ /* size: 2, cachelines: 1, members: 3 */ /* last cacheline: 2 bytes */ }; Also, make use of the struct_size() helper and remove unneeded variable ap_info_entry_size. This issue was found with the help of Coccinelle and audited and fixed, manually. Link: https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays Link: https://github.com/KSPP/linux/issues/79 Signed-off-by: Gustavo A. R. Silva --- Hi! It'd be great if someone can confirm or comment on the following changes described in the changelog text: - if (len < sizeof(struct wmi_aplist_event)) + if (len <= sizeof(struct wmi_aplist_event)) Thanks drivers/net/wireless/ath/ath6kl/wmi.c | 7 ++----- drivers/net/wireless/ath/ath6kl/wmi.h | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c index 645fb6cae3be..484d37e66ce6 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.c +++ b/drivers/net/wireless/ath/ath6kl/wmi.c @@ -1750,23 +1750,20 @@ static int ath6kl_wmi_snr_threshold_event_rx(struct wmi *wmi, u8 *datap, static int ath6kl_wmi_aplist_event_rx(struct wmi *wmi, u8 *datap, int len) { - u16 ap_info_entry_size; struct wmi_aplist_event *ev = (struct wmi_aplist_event *) datap; struct wmi_ap_info_v1 *ap_info_v1; u8 index; - if (len < sizeof(struct wmi_aplist_event) || + if (len <= sizeof(struct wmi_aplist_event) || ev->ap_list_ver != APLIST_VER1) return -EINVAL; - ap_info_entry_size = sizeof(struct wmi_ap_info_v1); ap_info_v1 = (struct wmi_ap_info_v1 *) ev->ap_list; ath6kl_dbg(ATH6KL_DBG_WMI, "number of APs in aplist event: %d\n", ev->num_ap); - if (len < (int) (sizeof(struct wmi_aplist_event) + - (ev->num_ap - 1) * ap_info_entry_size)) + if (len < struct_size(ev, ap_list, ev->num_ap)) return -EINVAL; /* AP list version 1 contents */ diff --git a/drivers/net/wireless/ath/ath6kl/wmi.h b/drivers/net/wireless/ath/ath6kl/wmi.h index 6a7fc07cd9aa..a9732660192a 100644 --- a/drivers/net/wireless/ath/ath6kl/wmi.h +++ b/drivers/net/wireless/ath/ath6kl/wmi.h @@ -1957,7 +1957,7 @@ union wmi_ap_info { struct wmi_aplist_event { u8 ap_list_ver; u8 num_ap; - union wmi_ap_info ap_list[1]; + union wmi_ap_info ap_list[]; } __packed; /* Developer Commands */