Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp531179rdb; Thu, 30 Nov 2023 11:00:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IEQF7Ox8g639BDkEZAHWn5jdH/GWeCKktEawkIg6E2KnX8P2Ryc51loFizqDkjcXbXmsnEO X-Received: by 2002:a05:6870:7a15:b0:1fa:3499:48 with SMTP id hf21-20020a0568707a1500b001fa34990048mr20981604oab.14.1701370858130; Thu, 30 Nov 2023 11:00:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701370858; cv=none; d=google.com; s=arc-20160816; b=yKhDe9FYHAppk1tsO3fSmyXv24uIHW0WqnEn4fxRnO1wyZXTfS6OaB3o01KdDicyTz 0hIZVamGpew0pAsRMRrWNSXJyJb2Mzk08t+rYuq5Z7EfTSwad52bgoIi83hAVbE0umXf G4KM3fCogOEcKQqefAUF2VrfbthV37SQM9laxxOId0eRPVn/ptZXs0RikCSFGTfzplPr YbHlGGAnlgF5DS51B/ppjNMivXhPdzEiexlv3KBYUV7DFEFRAccXNoJZxPVaYYDd2Gxd xCo4Yd6Qfgqv7TbaqiTPGj6QBn1xk3H9izwcmNfxHfS4jruAqBuxMSWcKyhZn5ajIAAW Qk6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:content-transfer-encoding:references:in-reply-to:date:cc :to:from:subject:message-id:dkim-signature; bh=vsYR7scdNZIludsndTghewaH2HznFu0Os5QUOPvM1nM=; fh=YJ22FJf5+YR1RrJ2x6zi6n0tWEMMWHFse45wuvTP7u4=; b=ye14d+PEjb+6J+tkUz8rpl4BX4zrvfok965rU0rREsri4DTp91nFJYhN189mkADovL DYMljo6/E9cJSv2MFpfn06INYwyvi+RTdQkfqpHpD6Wa9XZGwAtJ1QWPCcFrSWqgZIVN kiuYbgUvzG+K/cM/8qWius9/ui1FBcPuKSF2vMkD9a7wpaouJz8AV6JyAhMojE3P7CNY YdcLk5d3hi9hhAlRVKAYWR+7MKkb0ao4bbycX1LMV5DmaZEkxZIR+uYyGE/XadaxFXt+ oSSGYGXwKyvHyQ5sncg1Fj6/juRl1F+Ltru0qSzULxdXQO7+Kmd2citIgI8R/knvQrLx R3fA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=WBOmF01E; spf=pass (google.com: domain of linux-wireless+bounces-250-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-250-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id mm6-20020a0568700e8600b001f959e6332csi664289oab.80.2023.11.30.11.00.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Nov 2023 11:00:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-250-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=WBOmF01E; spf=pass (google.com: domain of linux-wireless+bounces-250-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-250-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1DA3A28177D for ; Thu, 30 Nov 2023 19:00:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CA09F5FEF5; Thu, 30 Nov 2023 19:00:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b="WBOmF01E" X-Original-To: linux-wireless@vger.kernel.org Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:242:246e::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3960194; Thu, 30 Nov 2023 11:00:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=MIME-Version:Content-Transfer-Encoding: Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=vsYR7scdNZIludsndTghewaH2HznFu0Os5QUOPvM1nM=; t=1701370851; x=1702580451; b=WBOmF01E6Upq82AIEmzqAngGCrNPVkhshRmAxIeVvBTF4nx Veh+JmsSERVzV9RvCVUzxiogMcru/K+SLZvZrvR6iLCzIjP/IvBT+pIJhuSV9O0jt7zm6bB49Q4FV AscWjSx1MXLL6PXq7yRehSL2VWcTkdf2GrttAF1AAZ+9PCFHZVOdLaxQL/pH145geHnjAAOVIZQbu wMwfKdg3WnstNcLrMG3HmCjJOhlCfs9DmAB5Azk9qLOWsKzrVQUNuM16DKDF5D/Blsfdt0FPf5IST jK4Mb7GBrsIx/AghSXg5Hh20TTLzfBMz1TnlVGlU1oM+DeYvcRztFqO33UCsVncw==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97) (envelope-from ) id 1r8mHF-0000000A9bL-1Kjt; Thu, 30 Nov 2023 20:00:45 +0100 Message-ID: Subject: Re: [RFC PATCH] wifi: cfg80211: fix CQM for non-range use From: Johannes Berg To: Kees Cook Cc: Jeff Johnson , Michael Walle , lkp@intel.com, oe-kbuild-all@lists.linux.dev, linux-wireless@vger.kernel.org, Max Schulze , netdev@vger.kernel.org Date: Thu, 30 Nov 2023 20:00:44 +0100 In-Reply-To: <202311301054.0049306B7@keescook> References: <202311090752.hWcJWAHL-lkp@intel.com> <202311090752.hWcJWAHL-lkp@intel.com> <1c37d99f722f891a50c540853e54d4e36bdf0157.camel@sipsolutions.net> <202311301016.84D0010@keescook> <01e3663e9e1418a183ee86251e0352256494ee28.camel@sipsolutions.net> <202311301054.0049306B7@keescook> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-malware-bazaar: not-scanned On Thu, 2023-11-30 at 10:55 -0800, Kees Cook wrote: > On Thu, Nov 30, 2023 at 07:40:26PM +0100, Johannes Berg wrote: > > On Thu, 2023-11-30 at 10:32 -0800, Kees Cook wrote: > > > Yeah, I would expect this to mean that there is a code path that > > > GCC found where the value could overflow. It does this when a variabl= e > > > "value range" gets bounded (e.g. an int isn't the full -INT_MAX to IN= T_MAX > > > range).And flex_array_size() was designed to saturate at SIZE_MIX rat= her > > > than wrapping around to an unexpected small value, so these are playi= ng > > > together it seems. > > >=20 > > > However, I would have expected the kzalloc() to blow up _first_. > >=20 > > Hmm. > >=20 > > > Regardless, I suspect the addition of "if (n_thresholds > 1)" is what= is > > > tripping GCC. > > >=20 > > > int len =3D nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD= ]); > > > ... > > > return nl80211_set_cqm_rssi(info, thresholds, len / 4= , > > > hysteresis); > > >=20 > > > Now it "knows" there is a path where n_threasholds could be [2, > > > INT_MAX]. > >=20 > > Yeah, it's not _really_ bounded, apart from the message length? But the= n > > struct_size() should saturate and fail? But I guess it cannot know that= , > > and limits the object size to 1<<63 - 1 whereas the copy is 1<<64 - 1..= . > >=20 > > > Does this warning go away if "len" is made unsigned? >=20 > Actually, this alone fixes it too: >=20 > diff --git a/include/net/netlink.h b/include/net/netlink.h > index 167b91348e57..c59679524705 100644 > --- a/include/net/netlink.h > +++ b/include/net/netlink.h > @@ -1214,9 +1214,9 @@ static inline void *nla_data(const struct nlattr *n= la) > * nla_len - length of payload > * @nla: netlink attribute > */ > -static inline int nla_len(const struct nlattr *nla) > +static inline u16 nla_len(const struct nlattr *nla) > { > - return nla->nla_len - NLA_HDRLEN; > + return nla->nla_len > NLA_HDRLEN ? nla->nla_len - NLA_HDRLEN : 0; > } >=20 Heh. If you can sell that to Jakub I don't mind, but that might be a harder sell than the int/u32 in our code... johannes