Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp5769274rwb; Tue, 1 Aug 2023 07:42:56 -0700 (PDT) X-Google-Smtp-Source: APBJJlGnkKXoXRC0/V/bEFZniJUMiRVSStCjVKHn1JzYfiKnT1LpdfgqhE3jMHP51mxDjNmCwfSt X-Received: by 2002:a05:6a00:a84:b0:668:97bf:5ed7 with SMTP id b4-20020a056a000a8400b0066897bf5ed7mr17468769pfl.22.1690900975813; Tue, 01 Aug 2023 07:42:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690900975; cv=none; d=google.com; s=arc-20160816; b=LZ4HbGXg2tFro1OYLs6zdIU9cMq8HiyulK231QLofjM/Sg9e5BnHzYfTT4mhXYrEt+ U07BJtQj2bTv4yB44f1IFq7Kr6fM5qlVh5K1EEpbEI9u0oVw1TMJNSNFDTcfTXmKELIh ezB+y0KM9cpYoeHz3XMcL1f5R1ZYUgHXR2InU+T6SabRUDqqfTZ1oau2L4KBkg8alqc+ SFXPXvginBZA9dJ+eFxA8T9xkT9TYRpfIgkxxwLJjDAH8dewOGEDacH04RFDiMwYD50W oY5zUbXzF80TYTpGQOxxOafPyWjXlPPDSpNS3ULNhjp5L5Krg6UPd/WVQiLtI3v5IIZl +v2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:message-id:user-agent:cc:to:references :in-reply-to:from:subject:content-transfer-encoding:mime-version :dkim-signature; bh=opF/PgnGcAlI3xnhbvnpxlR2/45xmKNWdJ3uhLsE6pI=; fh=Y8gc5CaaXwqkoXzFyatTkToQVtpRvlqoJUUK4FZ/3BY=; b=sSnI/bsHfDCMrE+DeZ9kqRaG3QGBght+fKV67FLMugR9nbroFAPbcZRjjRPrIe/F9u QSFvyMR3jhFCE0IXmUGoUL+Y+85hN9HxYVZxvX5wG1DjJhO6Ovbf9skDN9HWu93aA1Ct 5mDcplHZS8omanX42nrzCRPJHR19BX8VfDX1iBI3O/n577wUTU9/lj/7x0CW948MGoHj aBisz2uOPaPEY2R29GxJ31sUzTF9NwVsZLDb8rWrKEZVcmWX8NNQucPBJKEjPgL6Uquh k8BdbYz+qvmPm5gI+oLg8g0Gq0b6o5znKF+gLOy4KZ50FvRqwPC/ntzArh1NRsvNbpKn buag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Co3XNM2y; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x5-20020a654145000000b00553c2f85088si8893919pgp.888.2023.08.01.07.42.39; Tue, 01 Aug 2023 07:42:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Co3XNM2y; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234830AbjHAOho (ORCPT + 59 others); Tue, 1 Aug 2023 10:37:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56856 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234610AbjHAOhn (ORCPT ); Tue, 1 Aug 2023 10:37:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E26119B7 for ; Tue, 1 Aug 2023 07:37:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2A5F8615D1 for ; Tue, 1 Aug 2023 14:37:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A05D7C433C8; Tue, 1 Aug 2023 14:37:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690900661; bh=ByzTWcVKXLJtIAbqyHlDwzS3V8FLwybmVR+af1z8ffw=; h=Subject:From:In-Reply-To:References:To:Cc:Date:From; b=Co3XNM2y4yclA/W70g+7GNkzb6xDcsG2GZp7dO0oYWpm4HnKN9bf7X9+oeKFSj7AH HVCWPm/T1j6HdSAv4yqsDCF2SMRPINuX8tMGAwLbHKzmplLfj5HaZGQirgtNOdZBao iJPOGPAlkgrIkh77QsGJ32alTe85N3gDbddQDEKdNbfuSJt2ZfXTxk3SGY96EfC+6i dgosZJnUtIIFoboeIw3+yDvdkeXcg9mNw2+VZkWtHKyutv6pTG+1qPBukzAxh6nm+d +6uKlOKZ9lQzA4vxDZX3JqSodzXAluybleqKh0ARmKVlsKdUoqKyDl3tbVIBoh64AN jvYwq9X9bd0hw== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [PATCH] wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() From: Kalle Valo In-Reply-To: <20230729140500.27892-1-hdegoede@redhat.com> References: <20230729140500.27892-1-hdegoede@redhat.com> To: Hans de Goede Cc: Arend van Spriel , Franky Lin , Hante Meuleman , Hans de Goede , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, Kees Cook User-Agent: pwcli/0.1.1-git (https://github.com/kvalo/pwcli/) Python/3.11.2 Message-ID: <169090065747.212423.9892152660352726427.kvalo@kernel.org> Date: Tue, 1 Aug 2023 14:37:39 +0000 (UTC) X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hans de Goede wrote: > Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers > a backtrace caused by the following field-spanning error: > > memcpy: detected field-spanning write (size 120) of single field > "¶ms_le->channel_list[0]" at > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2) > > Fix this by replacing the channel_list[1] declaration at the end of > the struct with a flexible array declaration. > > Most users of struct brcmf_scan_params_le calculate the size to alloc > using the size of the non flex-array part of the struct + needed extra > space, so they do not care about sizeof(struct brcmf_scan_params_le). > > brcmf_notify_escan_complete() however uses the struct on the stack, > expecting there to be room for at least 1 entry in the channel-list > to store the special -1 abort channel-id. > > To make this work use an anonymous union with a padding member > added + the actual channel_list flexible array. > > Cc: Kees Cook > Signed-off-by: Hans de Goede > Reviewed-by: Kees Cook Does the driver still work even if this warning is printed? I'm wondering should I take this to wireless or wireless-next. Also a review from Broadcom would be really good. What about a Fixes tag? -- https://patchwork.kernel.org/project/linux-wireless/patch/20230729140500.27892-1-hdegoede@redhat.com/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches