diff options
author | Gustavo A. R. Silva <gustavoars@kernel.org> | 2023-06-02 13:42:47 -0600 |
---|---|---|
committer | iwlwifi publisher <> | 2023-09-14 10:16:16 +0000 |
commit | 8908a6e6dbc2100057ca802cac0f106876034196 (patch) | |
tree | db01fe22819f48eef2a5ed0015a21712375cecce | |
parent | 30a510ef3dc6cd457bc8bfdc0cfbbd78acd5804b (diff) | |
download | backport-iwlwifi-release/core81.tar.gz |
[BUGFIX] wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()release/core81
kmemdup() at line 2735 is not duplicating enough memory for
notif->tid_tear_down and notif->station_id. As it only duplicates
612 bytes: up to offsetofend(struct iwl_wowlan_info_notif,
received_beacons), this is the range of [0, 612) bytes.
2735 notif = kmemdup(notif_v1,
2736 offsetofend(struct iwl_wowlan_info_notif,
2737 received_beacons),
2738 GFP_ATOMIC);
which evidently does not cover bytes 612 and 613 for members
tid_tear_down and station_id in struct iwl_wowlan_info_notif.
See below:
$ pahole -C iwl_wowlan_info_notif drivers/net/wireless/intel/iwlwifi/mvm/d3.o
struct iwl_wowlan_info_notif {
struct iwl_wowlan_gtk_status_v3 gtk[2]; /* 0 488 */
/* --- cacheline 7 boundary (448 bytes) was 40 bytes ago --- */
struct iwl_wowlan_igtk_status igtk[2]; /* 488 80 */
/* --- cacheline 8 boundary (512 bytes) was 56 bytes ago --- */
__le64 replay_ctr; /* 568 8 */
/* --- cacheline 9 boundary (576 bytes) --- */
__le16 pattern_number; /* 576 2 */
__le16 reserved1; /* 578 2 */
__le16 qos_seq_ctr[8]; /* 580 16 */
__le32 wakeup_reasons; /* 596 4 */
__le32 num_of_gtk_rekeys; /* 600 4 */
__le32 transmitted_ndps; /* 604 4 */
__le32 received_beacons; /* 608 4 */
u8 tid_tear_down; /* 612 1 */
u8 station_id; /* 613 1 */
u8 reserved2[2]; /* 614 2 */
/* size: 616, cachelines: 10, members: 13 */
/* last cacheline: 40 bytes */
};
Therefore, when the following assignments take place, actually no memory
has been allocated for those objects:
2743 notif->tid_tear_down = notif_v1->tid_tear_down;
2744 notif->station_id = notif_v1->station_id;
Fix this by allocating space for the whole notif object and zero out the
remaining space in memory after member station_id.
This also fixes the following -Warray-bounds issues:
CC drivers/net/wireless/intel/iwlwifi/mvm/d3.o
drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’:
drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2743:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=]
2743 | notif->tid_tear_down = notif_v1->tid_tear_down;
|
from drivers/net/wireless/intel/iwlwifi/mvm/d3.c:7:
In function ‘kmemdup’,
inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12:
include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’
765 | return __real_kmemdup(p, size, gfp);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’:
drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2744:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=]
2744 | notif->station_id = notif_v1->station_id;
| ^~
In function ‘kmemdup’,
inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12:
include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’
765 | return __real_kmemdup(p, size, gfp);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
type=bugfix
ticket=none
fixes=I89df1895c0e7e30eafee5c106a0187cf0c0c90a4
Link: https://github.com/KSPP/linux/issues/306
Fixes: 905d50ddbc83 ("wifi: iwlwifi: mvm: support wowlan info notification version 2")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Acked-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/ZHpGN555FwAKGduH@work
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Change-Id: I19628c20c1028f3da41e4e626e1dbff6c010a745
Reviewed-on: https://gerritwcs.ir.intel.com/c/iwlwifi-stack-dev/+/74141
tested: iil_jenkins <EC.GER.UNIX.IIL.JENKINS@INTEL.COM>
PerCI-Ready: Greenman, Gregory <gregory.greenman@intel.com>
Tested-by: iil_jenkins <EC.GER.UNIX.IIL.JENKINS@INTEL.COM>
Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
x-iwlwifi-stack-dev: 21b66ac8e01ec5d75529710342088bdf4610e528
-rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 6 | ||||
-rw-r--r-- | versions | 2 |
2 files changed, 3 insertions, 5 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c index 06b613ca6b..05ab775e92 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c @@ -2988,16 +2988,14 @@ static bool iwl_mvm_wait_d3_notif(struct iwl_notif_wait_data *notif_wait, (void *)pkt->data; struct iwl_wowlan_info_notif_v2 *notif_v2; - notif_v2 = kmemdup(notif_v1, - offsetofend(struct iwl_wowlan_info_notif_v2, - received_beacons), - GFP_ATOMIC); + notif_v2 = kmemdup(notif_v1, sizeof(*notif_v2), GFP_ATOMIC); if (!notif_v2) return false; notif_v2->tid_tear_down = notif_v1->tid_tear_down; notif_v2->station_id = notif_v1->station_id; + memset_after(notif_v2, 0, station_id); iwl_mvm_parse_wowlan_info_notif_v2(mvm, notif_v2, d3_data->status, len); @@ -2,5 +2,5 @@ BACKPORTS_VERSION="(see git)" BACKPORTED_KERNEL_VERSION="(see git)" BACKPORTED_KERNEL_NAME="iwlwifi" BACKPORTS_BUILD_TSTAMP=__DATE__ \" \" __TIME__ -BACKPORTS_GIT_TRACKED="iwlwifi-stack-public:release/core81:11348:b5fc1c4b" +BACKPORTS_GIT_TRACKED="iwlwifi-stack-public:release/core81:11349:21b66ac8" BACKPORTS_BRANCH_TSTAMP="Jun 29 2023 12:47:23" |