search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
80 stars 5 forks source link

Replace 1-element array in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h #241

Closed GustavoARSilva closed 1 year ago

GustavoARSilva commented 1 year ago

Replace one-element array with flexible-array member:

1043 struct brcmf_gscan_config {
1044         __le16 version;
1045         u8 flags;
1046         u8 buffer_threshold;
1047         u8 swc_nbssid_threshold;
1048         u8 swc_rssi_window_size;
1049         u8 count_of_channel_buckets;
1050         u8 retry_threshold;
1051         __le16  lost_ap_window;
1052         struct brcmf_gscan_bucket_config bucket[1];
1053 };

Audit (at least) all these places where the flex array is being used:

diff -u -p ./drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c /tmp/nothing/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
--- ./drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
+++ /tmp/nothing/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
@@ -434,7 +434,6 @@ static int brcmf_pno_config_sched_scans(
        gscan_cfg->flags = BRCMF_GSCAN_CFG_ALL_BUCKETS_IN_1ST_SCAN;

        gscan_cfg->count_of_channel_buckets = n_buckets;
-       memcpy(&gscan_cfg->bucket[0], buckets,
               n_buckets * sizeof(*buckets));

        err = brcmf_fil_iovar_data_set(ifp, "pfn_gscan_cfg", gscan_cfg, gsz);
bwendling commented 1 year ago

On Mon, Nov 14, 2022 at 2:40 PM Gustavo A. R. Silva @.***> wrote:

Replace one-element array with flexible-array member:

1043 struct brcmf_gscan_config { 1044 le16 version; 1045 u8 flags; 1046 u8 buffer_threshold; 1047 u8 swc_nbssid_threshold; 1048 u8 swc_rssi_window_size; 1049 u8 count_of_channel_buckets; 1050 u8 retry_threshold; 1051 le16 lost_ap_window; 1052 struct brcmf_gscan_bucket_config bucket[1]; 1053 };

Audit (at least) all these places where the flex array is being used:

diff -u -p ./drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c /tmp/nothing/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c --- ./drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +++ /tmp/nothing/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c @@ -434,7 +434,6 @@ static int brcmf_pno_config_sched_scans( gscan_cfg->flags = BRCMF_GSCAN_CFG_ALL_BUCKETS_IN_1ST_SCAN;

    gscan_cfg->count_of_channel_buckets = n_buckets;
  • memcpy(&gscan_cfg->bucket[0], buckets, n_buckets sizeof(buckets));

I don't understand this change. It seems to be deleting only the beginning of the function call?

-bw

    err = brcmf_fil_iovar_data_set(ifp, "pfn_gscan_cfg", gscan_cfg, gsz);

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

GustavoARSilva commented 1 year ago

I don't understand this change. It seems to be deleting only the beginning of the function call?

Oh that's not actually a change, that's rather a tag indicating that line of code should be audited: "Audit (at least) all these places where the flex array is being used:"

GustavoARSilva commented 1 year ago

Patch for this: https://lore.kernel.org/linux-hardening/cover.1668466470.git.gustavoars@kernel.org/

bwendling commented 1 year ago

On Mon, Nov 14, 2022 at 3:05 PM Gustavo A. R. Silva @.***> wrote:

Patch for this: @.***/

Oh! My mistake. Sorry. :-)

-bw