Re: [PATCH v2] wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()

From: Gustavo A. R. Silva
Date: Tue Jun 06 2023 - 13:35:59 EST

Next message: Pierre-Clément Tosi: "[PATCH] scripts/mksysmap: Fix badly escaped '$'"
Previous message: Song Liu: "Re: [PATCH -next v3 5/7] md/md-bitmap: add a new helper to unplug bitmap asynchrously"
In reply to: Greenman, Gregory: "Re: [PATCH v2] wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/5/23 19:03, Kees Cook wrote:

Link: https://github.com/KSPP/linux/issues/306
Fixes: 905d50ddbc83 ("wifi: iwlwifi: mvm: support wowlan info notification version 2")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>

Nice catch!

(dancy-dance):D

,

if (wowlan_info_ver < 2) {
struct iwl_wowlan_info_notif_v1 *notif_v1 = (void *)pkt->data;
- notif = kmemdup(notif_v1,
- offsetofend(struct iwl_wowlan_info_notif,
- received_beacons),
- GFP_ATOMIC);
-
+ notif = kmemdup(notif_v1, sizeof(*notif), GFP_ATOMIC);

The only question I have here is whether or not pkt->data actually
contains sizeof(*notif)-many bytes? It seems the length isn't checked
until after this area:

len = iwl_rx_packet_payload_len(pkt);

So, perhaps this needs to be changed instead, and the length
double-checked, etc. Perhaps a regular kzalloc + memcpy is needed to
handle pkt->data not being large enough?

As per Gregory's reply, it seems that the length is just fine.

Thanks
--
Gustavo

Next message: Pierre-Clément Tosi: "[PATCH] scripts/mksysmap: Fix badly escaped '$'"
Previous message: Song Liu: "Re: [PATCH -next v3 5/7] md/md-bitmap: add a new helper to unplug bitmap asynchrously"
In reply to: Greenman, Gregory: "Re: [PATCH v2] wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]