Re: [PATCH v3 2/2] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join

2021-04-15 Thread Kees Cook
On Wed, Apr 14, 2021 at 06:45:15PM -0500, Gustavo A. R. Silva wrote:
> Fix the following out-of-bounds warnings by adding a new structure
> wl3501_req instead of duplicating the same members in structure
> wl3501_join_req and wl3501_scan_confirm:
> 
> arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset 
> [39, 108] from the object at 'sig' is out of the bounds of referenced 
> subobject 'beacon_period' with type 'short unsigned int' at offset 36 
> [-Warray-bounds]
> arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset 
> [25, 95] from the object at 'sig' is out of the bounds of referenced 
> subobject 'beacon_period' with type 'short unsigned int' at offset 22 
> [-Warray-bounds]
> 
> Refactor the code, accordingly:
> 
> $ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o
> struct wl3501_req {
> u16beacon_period;/* 0 2 */
> u16dtim_period;  /* 2 2 */
> u16cap_info; /* 4 2 */
> u8 bss_type; /* 6 1 */
> u8 bssid[6]; /* 7 6 */
> struct iw_mgmt_essid_pset  ssid; /*1334 */
> struct iw_mgmt_ds_pset ds_pset;  /*47 3 */
> struct iw_mgmt_cf_pset cf_pset;  /*50 8 */
> struct iw_mgmt_ibss_pset   ibss_pset;/*58 4 */
> struct iw_mgmt_data_rset   bss_basic_rset;   /*6210 */
> 
> /* size: 72, cachelines: 2, members: 10 */
> /* last cacheline: 8 bytes */
> };
> 
> $ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o
> struct wl3501_join_req {
> u16next_blk; /* 0 2 */
> u8 sig_id;   /* 2 1 */
> u8 reserved; /* 3 1 */
> struct iw_mgmt_data_rset   operational_rset; /* 410 */
> u16reserved2;/*14 2 */
> u16timeout;  /*16 2 */
> u16probe_delay;  /*18 2 */
> u8 timestamp[8]; /*20 8 */
> u8 local_time[8];/*28 8 */
> struct wl3501_req  req;  /*3672 */
> 
> /* size: 108, cachelines: 2, members: 10 */
> /* last cacheline: 44 bytes */
> };
> 
> $ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o
> struct wl3501_scan_confirm {
> u16next_blk; /* 0 2 */
> u8 sig_id;   /* 2 1 */
> u8 reserved; /* 3 1 */
> u16status;   /* 4 2 */
> char   timestamp[8]; /* 6 8 */
> char   localtime[8]; /*14 8 */
> struct wl3501_req  req;  /*2272 */
> /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */
> u8 rssi; /*94 1 */
> 
> /* size: 96, cachelines: 2, members: 8 */
> /* padding: 1 */
> /* last cacheline: 32 bytes */
> };
> 
> The problem is that the original code is trying to copy data into a
> bunch of struct members adjacent to each other in a single call to
> memcpy(). Now that a new struct wl3501_req enclosing all those adjacent
> members is introduced, memcpy() doesn't overrun the length of
> &sig.beacon_period and &this->bss_set[i].beacon_period, because the
> address of the new struct object _req_ is used as the destination,
> instead.
> 
> This helps with the ongoing efforts to globally enable -Warray-bounds
> and get us closer to being able to tighten the FORTIFY_SOURCE routines
> on memcpy().
> 
> Link: https://github.com/KSPP/linux/issues/109
> Reported-by: kernel test robot 
> Signed-off-by: Gustavo A. R. Silva 

Awesome! Thank you for this solution.

Reviewed-by: Kees Cook 

-- 
Kees Cook


Re: [PATCH v3 2/2] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join

2021-04-15 Thread Gustavo A. R. Silva



On 4/15/21 14:58, Kees Cook wrote:
> On Wed, Apr 14, 2021 at 06:45:15PM -0500, Gustavo A. R. Silva wrote:
>> Fix the following out-of-bounds warnings by adding a new structure
>> wl3501_req instead of duplicating the same members in structure
>> wl3501_join_req and wl3501_scan_confirm:
>>
>> arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset 
>> [39, 108] from the object at 'sig' is out of the bounds of referenced 
>> subobject 'beacon_period' with type 'short unsigned int' at offset 36 
>> [-Warray-bounds]
>> arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset 
>> [25, 95] from the object at 'sig' is out of the bounds of referenced 
>> subobject 'beacon_period' with type 'short unsigned int' at offset 22 
>> [-Warray-bounds]
>>
>> Refactor the code, accordingly:
>>
>> $ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o
>> struct wl3501_req {
>> u16beacon_period;/* 0 2 */
>> u16dtim_period;  /* 2 2 */
>> u16cap_info; /* 4 2 */
>> u8 bss_type; /* 6 1 */
>> u8 bssid[6]; /* 7 6 */
>> struct iw_mgmt_essid_pset  ssid; /*1334 */
>> struct iw_mgmt_ds_pset ds_pset;  /*47 3 */
>> struct iw_mgmt_cf_pset cf_pset;  /*50 8 */
>> struct iw_mgmt_ibss_pset   ibss_pset;/*58 4 */
>> struct iw_mgmt_data_rset   bss_basic_rset;   /*6210 */
>>
>> /* size: 72, cachelines: 2, members: 10 */
>> /* last cacheline: 8 bytes */
>> };
>>
>> $ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o
>> struct wl3501_join_req {
>> u16next_blk; /* 0 2 */
>> u8 sig_id;   /* 2 1 */
>> u8 reserved; /* 3 1 */
>> struct iw_mgmt_data_rset   operational_rset; /* 410 */
>> u16reserved2;/*14 2 */
>> u16timeout;  /*16 2 */
>> u16probe_delay;  /*18 2 */
>> u8 timestamp[8]; /*20 8 */
>> u8 local_time[8];/*28 8 */
>> struct wl3501_req  req;  /*3672 */
>>
>> /* size: 108, cachelines: 2, members: 10 */
>> /* last cacheline: 44 bytes */
>> };
>>
>> $ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o
>> struct wl3501_scan_confirm {
>> u16next_blk; /* 0 2 */
>> u8 sig_id;   /* 2 1 */
>> u8 reserved; /* 3 1 */
>> u16status;   /* 4 2 */
>> char   timestamp[8]; /* 6 8 */
>> char   localtime[8]; /*14 8 */
>> struct wl3501_req  req;  /*2272 */
>> /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */
>> u8 rssi; /*94 1 */
>>
>> /* size: 96, cachelines: 2, members: 8 */
>> /* padding: 1 */
>> /* last cacheline: 32 bytes */
>> };
>>
>> The problem is that the original code is trying to copy data into a
>> bunch of struct members adjacent to each other in a single call to
>> memcpy(). Now that a new struct wl3501_req enclosing all those adjacent
>> members is introduced, memcpy() doesn't overrun the length of
>> &sig.beacon_period and &this->bss_set[i].beacon_period, because the
>> address of the new struct object _req_ is used as the destination,
>> instead.
>>
>> This helps with the ongoing efforts to globally enable -Warray-bounds
>> and get us closer to being able to tighten the FORTIFY_SOURCE routines
>> on memcpy().
>>
>> Link: https://github.com/KSPP/linux/issues/109
>> Reported-by: kernel test robot 
>> Signed-off-by: Gustavo A. R. Silva 
> 
> Awesome! Thank you for this solution.
> 
> Reviewed-by: Kees Cook 


Thanks, Kees!

--
Gustavo