On Wed, Feb 15, 2023 at 11:41 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > Silence run-time memcpy() false positive warning when processing > management frames: > > memcpy: detected field-spanning write (size 27) of single field "&mgmt_frame->u" at drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c:1469 (size 26) > > Due to this (soon to be fixed) GCC bug[1], FORTIFY_SOURCE (via > __builtin_dynamic_object_size) doesn't recognize that the union may end > with a flexible array, and returns "26" (the fixed size of the union), > rather than the remaining size of the allocation. Add an explicit > flexible array member and set it as the destination here, so that we > get the correct coverage for the memcpy(). > > [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832 > > Reported-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > Cc: Arend van Spriel <aspriel@xxxxxxxxx> > Cc: Franky Lin <franky.lin@xxxxxxxxxxxx> > Cc: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx> > Cc: Kalle Valo <kvalo@xxxxxxxxxx> > Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> > Cc: Eric Dumazet <edumazet@xxxxxxxxxx> > Cc: Jakub Kicinski <kuba@xxxxxxxxxx> > Cc: Paolo Abeni <pabeni@xxxxxxxxxx> > Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> > Cc: "Jason A. Donenfeld" <Jason@xxxxxxxxx> > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > Cc: "Darrick J. Wong" <djwong@xxxxxxxxxx> > Cc: Colin Ian King <colin.i.king@xxxxxxxxx> > Cc: Brian Henriquez <brian.henriquez@xxxxxxxxxxx> > Cc: linux-wireless@xxxxxxxxxxxxxxx > Cc: brcm80211-dev-list.pdl@xxxxxxxxxxxx > Cc: SHA-cyfmac-dev-list@xxxxxxxxxxxx > Cc: netdev@xxxxxxxxxxxxxxx > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Us having to deal with this kind of stuff is why we need Rust. Thanks for doing this Kees, Reviewed-by: Linus Walleij <linus.walleij@xxxxxxxxxx> Yours, Linus Walleij
