search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
80 stars 5 forks source link

Replace 1-element array in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h #230

Closed GustavoARSilva closed 1 year ago

GustavoARSilva commented 1 year ago

Replace one-element array with flexible-array member in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h

 933 /**
 934  * struct brcmf_dload_data_le - data passing to firmware for downloading
 935  * @flag: flags related to download data.
 936  * @dload_type: type of download data.
 937  * @len: length in bytes of download data.
 938  * @crc: crc of download data.
 939  * @data: download data.
 940  */
 941 struct brcmf_dload_data_le {
 942         __le16 flag;
 943         __le16 dload_type;
 944         __le32 len;
 945         __le32 crc;
 946         u8 data[1];
 947 };

Audit (at least) all these places where the flex array is being used:

diff -u -p ./drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c /tmp/nothing/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
--- ./drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+++ /tmp/nothing/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
@@ -154,7 +154,6 @@ static int brcmf_c_process_clm_blob(stru
                        chunk_len = datalen;
                        dl_flag |= DL_END;
                }
-               memcpy(chunk_buf->data, clm->data + cumulative_len, chunk_len);

                err = brcmf_c_download(ifp, dl_flag, chunk_buf, chunk_len);
GustavoARSilva commented 1 year ago

https://lore.kernel.org/linux-hardening/cover.1668548907.git.gustavoars@kernel.org/T/