Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp2475404rwb; Sat, 29 Jul 2023 07:32:15 -0700 (PDT) X-Google-Smtp-Source: APBJJlGfVvWZ+L62jrAl0wWMv3y5s8Dp/n9EE9TEnlq8470ShrHjN4k9FyFFyBbX9FJR7OwsnAl3 X-Received: by 2002:a05:6512:b98:b0:4fe:89f:cbad with SMTP id b24-20020a0565120b9800b004fe089fcbadmr4434764lfv.51.1690641134966; Sat, 29 Jul 2023 07:32:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690641134; cv=none; d=google.com; s=arc-20160816; b=sY5BM1dYnybUBLdhXXjH3sKxAlcXWElZVRmP1Ds+wVqZ9vV4JZ0du3N8S8OErDZBOj h2k7rFWHL6J9cNpVBOEXy7HmnPnlVNLIuJRbJN9f5Dh+PgKpaVdRA6+/8flv+mCWaw75 +c7mqQ8hYDsdQ6b/oxwsMPAbwCFhrmfDPkrlePCYDZIBzikZ2A1zTYVE/pFzRQ/jtRlL vIRaWd8jBH6lL+9CYuhfG83QqBpzfWcin7GEKnycphfj86gB5Ouq2Nleun7zfWV3/W76 6VPKx5FehgyBihoerjhszIgzNo9KB+wfW0BJSZitGcTN2NTqZXtbJ3GQwmfHCpu+DLcf u8rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=LyFN3RyYr2YOvlC8K4Yb9JC23+6EMyvjptnBVu9mUHc=; fh=BszI7zge6Qox7tnETGFAhohBCzWIcHOJ6uEms8iZL6I=; b=YepQIrWeZa7Ox+KpzYt0YCHctCpENvw+ExmJa5v12ONP1mwR+oAj0xzg00g3dkTIoN 4nI4y9B4WJksazlpLZu64FQAX3uc5v2OH5qK+IVAP+5c787ZEWBgEUj3X61I6nNFtrIn nmXDLDxmZVT/acTZg30v+UaV+c1EpT63aHO8SWgttLMf9NcYVmWUsdRCsaxvHMGfe5Wk xUMZ8CETSbRalVLpM10aaLSKCiR80nZ6wh62fZeLKrRZB8eSqQL1ISiT6uO9lMgDJwlZ bo4cUFN7Zk5vmBhef5+6OZ8dHm5NFDuiy0ng3wMEQOdpKdcmtxAjrjOHX+KsMlxtxUtE DiAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Za2wZyol; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w2-20020aa7da42000000b005224cee7bf8si4240056eds.155.2023.07.29.07.31.55; Sat, 29 Jul 2023 07:32:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Za2wZyol; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231634AbjG2OF6 (ORCPT + 59 others); Sat, 29 Jul 2023 10:05:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230122AbjG2OFz (ORCPT ); Sat, 29 Jul 2023 10:05:55 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C584136 for ; Sat, 29 Jul 2023 07:05:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1690639509; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=LyFN3RyYr2YOvlC8K4Yb9JC23+6EMyvjptnBVu9mUHc=; b=Za2wZyolO8mOzNG5fUgpvCcxN8ZZW4r7EJ161GE4kDOjxbf1nOl1/87mrxHOYcMOTxM5o8 8ZpR/te70wFV9vCDYM/Vp0wCGEIHHy610u41YvXdQrgsWO7nEQzb1gUhkfXzkaFZTc56Tk g82XHf+sj8/sCRxAyVzB7Og3jRJWzmI= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-255-M0t9ZoiFOc-UFvIHU2oR4w-1; Sat, 29 Jul 2023 10:05:07 -0400 X-MC-Unique: M0t9ZoiFOc-UFvIHU2oR4w-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 10E5B3C0219F; Sat, 29 Jul 2023 14:05:07 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id BADFE40C2063; Sat, 29 Jul 2023 14:05:05 +0000 (UTC) From: Hans de Goede To: Arend van Spriel , Franky Lin , Hante Meuleman , Kalle Valo Cc: Hans de Goede , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, Kees Cook Subject: [PATCH] wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() Date: Sat, 29 Jul 2023 16:05:00 +0200 Message-ID: <20230729140500.27892-1-hdegoede@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers a backtrace caused by the following field-spanning error: memcpy: detected field-spanning write (size 120) of single field "¶ms_le->channel_list[0]" at drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2) Fix this by replacing the channel_list[1] declaration at the end of the struct with a flexible array declaration. Most users of struct brcmf_scan_params_le calculate the size to alloc using the size of the non flex-array part of the struct + needed extra space, so they do not care about sizeof(struct brcmf_scan_params_le). brcmf_notify_escan_complete() however uses the struct on the stack, expecting there to be room for at least 1 entry in the channel-list to store the special -1 abort channel-id. To make this work use an anonymous union with a padding member added + the actual channel_list flexible array. Cc: Kees Cook Signed-off-by: Hans de Goede --- .../net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h index 792adaf880b4..bece26741d3a 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h @@ -398,7 +398,12 @@ struct brcmf_scan_params_le { * fixed parameter portion is assumed, otherwise * ssid in the fixed portion is ignored */ - __le16 channel_list[1]; /* list of chanspecs */ + union { + __le16 padding; /* Reserve space for at least 1 entry for abort + * which uses an on stack brcmf_scan_params_le + */ + DECLARE_FLEX_ARRAY(__le16, channel_list); /* chanspecs */ + }; }; struct brcmf_scan_params_v2_le { -- 2.41.0