Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp20441093rwd; Thu, 29 Jun 2023 02:15:41 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6f/KDcTS8gVsdaqyBj+X2Y3ZsLk6GJAXdk5A1mYOkmjgLSs589+2AIuuMsKiXlZi9MoGdk X-Received: by 2002:a05:6a00:1953:b0:666:c1ae:3b87 with SMTP id s19-20020a056a00195300b00666c1ae3b87mr5198448pfk.12.1688030141478; Thu, 29 Jun 2023 02:15:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688030141; cv=none; d=google.com; s=arc-20160816; b=0BYZp8hVCTP7D+HsDTDTfoYPuid7Oi1gI+XW/ggBro5eRYTbFsNk/Cs0HYz/ecMEX7 jdR3i49EzOQlt+3rusNGUeQSv0lJUxdJGWqMp2o7H7A/uQrsgiDCmMk4i1Xe02hESYG1 bXJzLLwu6p8GC3FoyLEA2XVbqozKBhkRq5EGy5r7nzlYvut81fZM7U/5phS+cb7/sUWB 6auMsWhQ4OR7xY+vHgYVQB2bpD9LlTFYEVYA1cP27U7TB7VJOlZ37XyF744xtfabMpuC 0MQL2NHmStzPnSmR2u3uokCbrczwsVQPkXFD+5bxXyBF3ksSg5O1GwOaaAmTTOcyerMx Wwvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=vEu8vMjIbX7nXG+CG0tA3nYjyZt9E4ldyPBMZU2sSFk=; fh=4YExeCyx5/e88B7lMG5A/tbT3LCjstXiNnzQME1JD9Q=; b=GurirH84Xml9y9UxyG9I5haQ+CGaiz1ZsVad4uTCIUkke8ewj/GETCrB4YlNLC2ufa hJk6uxAYXsVn1TFxADoTtLBc/u8RHxGAGSboJH5Wj2AlqFeiK+vfMxwhxE5d7dE3EZMK SHqzSjdSYv2q2q2Od58lX0st4pS71puSRWeTZMaIgpUKQsoALSuV87groPTH8zr0rxY8 OezS1pQj3OSpF6lxHcByktkGcsYAq0ZR319dsFi3A7nLATNM3QZlPK9Qrf1EST1dcpmq GzGqTExJF42zuzSNyGEzW9ptxsT/2i2yIRBBr4zhVIaNYPusu7kjPaqAKk1/zMohylpM PYaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=Qx6vJajV; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j10-20020a056a00234a00b00666e1259fa4si10007873pfj.141.2023.06.29.02.15.29; Thu, 29 Jun 2023 02:15:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b=Qx6vJajV; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232274AbjF2Iwn (ORCPT + 58 others); Thu, 29 Jun 2023 04:52:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232172AbjF2IwJ (ORCPT ); Thu, 29 Jun 2023 04:52:09 -0400 Received: from forward102b.mail.yandex.net (forward102b.mail.yandex.net [IPv6:2a02:6b8:c02:900:1:45:d181:d102]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAEC335BD for ; Thu, 29 Jun 2023 01:51:50 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:1d21:0:640:c9e4:0]) by forward102b.mail.yandex.net (Yandex) with ESMTP id 36D7960078; Thu, 29 Jun 2023 11:51:48 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id ipIxcZ1DSeA0-leAGuNpX; Thu, 29 Jun 2023 11:51:47 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1688028707; bh=vEu8vMjIbX7nXG+CG0tA3nYjyZt9E4ldyPBMZU2sSFk=; h=Cc:Message-ID:References:Date:In-Reply-To:Subject:To:From; b=Qx6vJajV1TR0IUJfVBNBCyleYIybb3t1/DM+kk2rvPNw/kqSIMwkNAcvFA6uyib/7 6GnJIX11dYikW5tugIUQNUOCB66oPGfeldmCTFA1H/7Z4qPNKaiJEuZom+OOuzb7JQ O9NJR0oRiMT0rEXMAGfgPNNWnmWQbWM+PZmKx4Uk= Authentication-Results: mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Kalle Valo Cc: Brian Norris , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 2/3] [v4] wifi: mwifiex: fix fortify warning Date: Thu, 29 Jun 2023 11:51:01 +0300 Message-ID: <20230629085115.180499-2-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230629085115.180499-1-dmantipov@yandex.ru> References: <20230629085115.180499-1-dmantipov@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, I've noticed the following: In function ‘fortify_memcpy_chk’, inlined from ‘mwifiex_construct_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:765:3, inlined from ‘mwifiex_send_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:856:6: ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 529 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The compiler actually complains on: memmove(pos + ETH_ALEN, &mgmt->u.action.category, sizeof(mgmt->u.action.u.tdls_discover_resp)); and it happens because the fortification logic interprets this as an attempt to overread 1-byte 'u.action.category' member of 'struct ieee80211_mgmt'. To silence this warning, it's enough to pass an address of 'u.action' itself instead of an address of its first member. This also fixes an improper usage of 'sizeof()'. Since 'skb' is extended with 'sizeof(mgmt->u.action.u.tdls_discover_resp) + 1' bytes (where 1 is actually 'sizeof(mgmt->u.action.category)'), I assume that the same number of bytes should be copied. Suggested-by: Brian Norris Signed-off-by: Dmitry Antipov --- v4: fix memmove() size calculation (Brian Norris) --- drivers/net/wireless/marvell/mwifiex/tdls.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c index 97bb87c3676b..6c60621b6ccc 100644 --- a/drivers/net/wireless/marvell/mwifiex/tdls.c +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c @@ -735,6 +735,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, int ret; u16 capab; struct ieee80211_ht_cap *ht_cap; + unsigned int extra; u8 radio, *pos; capab = priv->curr_bss_params.bss_descriptor.cap_info_bitmap; @@ -753,7 +754,10 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, switch (action_code) { case WLAN_PUB_ACTION_TDLS_DISCOVER_RES: - skb_put(skb, sizeof(mgmt->u.action.u.tdls_discover_resp) + 1); + /* See the layout of 'struct ieee80211_mgmt'. */ + extra = sizeof(mgmt->u.action.u.tdls_discover_resp) + + sizeof(mgmt->u.action.category); + skb_put(skb, extra); mgmt->u.action.category = WLAN_CATEGORY_PUBLIC; mgmt->u.action.u.tdls_discover_resp.action_code = WLAN_PUB_ACTION_TDLS_DISCOVER_RES; @@ -762,8 +766,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, mgmt->u.action.u.tdls_discover_resp.capability = cpu_to_le16(capab); /* move back for addr4 */ - memmove(pos + ETH_ALEN, &mgmt->u.action.category, - sizeof(mgmt->u.action.u.tdls_discover_resp)); + memmove(pos + ETH_ALEN, &mgmt->u.action, extra); /* init address 4 */ eth_broadcast_addr(pos); -- 2.41.0