Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp5844842rwb;
        Tue, 1 Aug 2023 08:38:27 -0700 (PDT)
X-Google-Smtp-Source: APBJJlF4Pdlt0E3lgVAJirvaslvh0WCO/XZEhW8Y3c7eFmuN4qDlra3o5CTB/UR3LgDo6a7WC+je
X-Received: by 2002:aa7:dad3:0:b0:522:ab06:721c with SMTP id x19-20020aa7dad3000000b00522ab06721cmr2855292eds.29.1690904306899;
        Tue, 01 Aug 2023 08:38:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690904306; cv=none;
        d=google.com; s=arc-20160816;
        b=hsapef2blhI47eHk1H/Tf7jcor0d5Ob5Rfm6hM6KcAK8Qw4RkyCzT0FnGSyBqwR0c6
         UHWNBjzxSdJhOgHeLQLyvVdpubKQqkHGadxdbG7Bjfhz+b5IsAPpntCZOcL2fdEpnFQ7
         9A6diB6jgKnGax7hBgIg87qPIFWsvbtJ8L17sL2y/Uhgm13rDyjcAsqNImLhSpFbbWxl
         b6RLAhyAWponTMtXIe5egNkJUPqMXs9K5/6HEPVpxQJjhopdedA6+16TBnZs3l1jdMt5
         nwG84qRjRZHGARcwdD1mNpAdUV5nMHrsCv3mej40GfapWs2Lv62alKETRI+8j9uhNsQU
         aYWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :content-language:references:cc:to:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=oDFlIiQrElZ4oItn1kXIvNi24PeRJ+jUaah30LuHPpQ=;
        fh=wlv80rPSj5POcUxd2ToqnYQZZQzxe3BGeMGUlC6LHaM=;
        b=daJtvGHwaxvOPb9Zi42BAKmQyeeQR59uzmqI6N4KiDWc/dAm5NfpsNcl0LWx2Dfqbd
         MZRi+20E1Q8jNxTroZ4Bev1evObuANA8+UDsEAc/+05Ii5mAwN5Q5WhPsSJpDWBhmVlW
         zb8INlVrZdANO6VBFiZ+FJS6p8SSV8jQNj0OzVETH3EacI6GIV3unqPx/BWlLtf+9Dpt
         Wm/EVzhicQnaHBUY2rnHJCobHGYuAbttKSwt2B8rtAeuZaFgothpQ2j2LXw/65K8ajs5
         TaA+0ZvlmOBZQ7tIpHHofIyHraT/FIaJNczAYOCL0EO4njssZmz4gMGDubIY+2Em1BJw
         6S2g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=jEjvn3u9;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j26-20020aa7ca5a000000b005221da47f59si8268922edt.172.2023.08.01.08.38.12;
        Tue, 01 Aug 2023 08:38:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=jEjvn3u9;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234887AbjHAOs3 (ORCPT <rfc822;pigworlds@gmail.com> + 59 others);
        Tue, 1 Aug 2023 10:48:29 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32902 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234859AbjHAOs2 (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 1 Aug 2023 10:48:28 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BD4912B
        for <linux-wireless@vger.kernel.org>; Tue,  1 Aug 2023 07:47:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1690901261;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=oDFlIiQrElZ4oItn1kXIvNi24PeRJ+jUaah30LuHPpQ=;
        b=jEjvn3u90kMFLj1c/qeJPllhFGq5XetXScu+Ofe3JKICJQb1xfBxMXVfUd3ULHfm+Mgkcp
        +BkgSpHvnp3pFCjM0hqnmJi2FLa+zVOeESr/QWgT9vCwzdRD59lO8wvX3PGhWcPFEsLxbU
        dg3nOE0i6M6cR/dne2Ky0J6RZGHFt1A=
Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com
 [209.85.218.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-41-VCTnquGhN4iADrQ538eY3Q-1; Tue, 01 Aug 2023 10:47:39 -0400
X-MC-Unique: VCTnquGhN4iADrQ538eY3Q-1
Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-94f7a2b21fdso416688066b.2
        for <linux-wireless@vger.kernel.org>; Tue, 01 Aug 2023 07:47:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1690901257; x=1691506057;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=oDFlIiQrElZ4oItn1kXIvNi24PeRJ+jUaah30LuHPpQ=;
        b=cszYlpMdEZerVE5hAhKvxewluAoty32Z81srk+bbY66DxafT9Xh+7dzFjUjjUjPnf0
         kb44l7X0CqID/86rPDWqVFAdOk90DRETFcQdtO1vT/jQZvQXoEhfQ/u4Ue/kqWxgUFAD
         vfXBrGFQk0YJnPND7tSIifxYN/KRrxQ8KeOvO5JBOxTkDd3FuYC0zwqS0p1v+P+IKCXy
         WqRuIpMnIFyPg0DN5FIQ/ljX3gO+FSBAVDdET+IUBRbc7WUV2LRL7pTN17UfPZxTdoOu
         2qGGG40uFrcSOXxNdjKq1VEDSE3dhV9kqiHXdbQWh5ZxdnfYl3+JnxG1yCYpAW1mHis7
         g1Ug==
X-Gm-Message-State: ABy/qLYZOmz/u3i1lzDX60dpJx9kaKgipLC+2b+v/Yjk/79y9lOKmw8w
        IYUlGHt5hzonSYhlmJbeJAwIhJ6/YHNBr9r/dbHg0qBaqomI4hzLhrxweZVt12y7Ha587lOnYDZ
        XZBV/p20qGASYkCmTMPVcFbuHixc=
X-Received: by 2002:a17:907:2cd2:b0:991:d2a8:658a with SMTP id hg18-20020a1709072cd200b00991d2a8658amr2565124ejc.34.1690901257831;
        Tue, 01 Aug 2023 07:47:37 -0700 (PDT)
X-Received: by 2002:a17:907:2cd2:b0:991:d2a8:658a with SMTP id hg18-20020a1709072cd200b00991d2a8658amr2565106ejc.34.1690901257468;
        Tue, 01 Aug 2023 07:47:37 -0700 (PDT)
Received: from ?IPV6:2001:1c00:2a07:3a01:67e5:daf9:cec0:df6? (2001-1c00-2a07-3a01-67e5-daf9-cec0-0df6.cable.dynamic.v6.ziggo.nl. [2001:1c00:2a07:3a01:67e5:daf9:cec0:df6])
        by smtp.gmail.com with ESMTPSA id gl13-20020a170906e0cd00b00982d0563b11sm7693890ejb.197.2023.08.01.07.47.36
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 01 Aug 2023 07:47:36 -0700 (PDT)
Message-ID: <57b9d6c8-557f-fbd7-0069-c84691a76ff4@redhat.com>
Date:   Tue, 1 Aug 2023 16:47:36 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.13.0
Subject: Re: [PATCH] wifi: brcmfmac: Fix field-spanning write in
 brcmf_scan_params_v2_to_v1()
To:     Kalle Valo <kvalo@kernel.org>
Cc:     Arend van Spriel <aspriel@gmail.com>,
        Franky Lin <franky.lin@broadcom.com>,
        Hante Meuleman <hante.meuleman@broadcom.com>,
        linux-wireless@vger.kernel.org,
        brcm80211-dev-list.pdl@broadcom.com,
        SHA-cyfmac-dev-list@infineon.com, Kees Cook <keescook@chromium.org>
References: <20230729140500.27892-1-hdegoede@redhat.com>
 <169090065747.212423.9892152660352726427.kvalo@kernel.org>
Content-Language: en-US
From:   Hans de Goede <hdegoede@redhat.com>
In-Reply-To: <169090065747.212423.9892152660352726427.kvalo@kernel.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,
        RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
        SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Hi,

On 8/1/23 16:37, Kalle Valo wrote:
> Hans de Goede <hdegoede@redhat.com> wrote:
> 
>> Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
>> a backtrace caused by the following field-spanning error:
>>
>> memcpy: detected field-spanning write (size 120) of single field
>>   "&params_le->channel_list[0]" at
>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
>>
>> Fix this by replacing the channel_list[1] declaration at the end of
>> the struct with a flexible array declaration.
>>
>> Most users of struct brcmf_scan_params_le calculate the size to alloc
>> using the size of the non flex-array part of the struct + needed extra
>> space, so they do not care about sizeof(struct brcmf_scan_params_le).
>>
>> brcmf_notify_escan_complete() however uses the struct on the stack,
>> expecting there to be room for at least 1 entry in the channel-list
>> to store the special -1 abort channel-id.
>>
>> To make this work use an anonymous union with a padding member
>> added + the actual channel_list flexible array.
>>
>> Cc: Kees Cook <keescook@chromium.org>
>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>> Reviewed-by: Kees Cook <keescook@chromium.org>
> 
> Does the driver still work even if this warning is printed? I'm wondering
> should I take this to wireless or wireless-next. Also a review from Broadcom
> would be really good.

It works fine, but it logs an oops / backtrace.

Note I did test the patch on a device where the warning was triggered and the warning is gone and wifi association still works.

So there is a slight preference to get this as a fix into 6.5 from my side.

> What about a Fixes tag? 

This is caused by the new field-spanning wtire checks enabled recently, so there is not really a brcmfmac commit to point to as the culprit.

Regards,

Hans