Patch "wifi: ath: Silence memcpy run-time false positive warning" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    wifi: ath: Silence memcpy run-time false positive warning

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-ath-silence-memcpy-run-time-false-positive-warn.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit af725ab0748db150afdf505711c470fef32bda84
Author: Kees Cook <keescook@xxxxxxxxxxxx>
Date:   Wed Feb 15 20:31:38 2023 +0200

    wifi: ath: Silence memcpy run-time false positive warning
    
    [ Upstream commit bfcc8ba45eb87bfaaff900bbad2b87b204899d41 ]
    
    The memcpy() in ath_key_config() was attempting to write across
    neighboring struct members in struct ath_keyval. Introduce a wrapping
    struct_group, kv_values, to be the addressable target of the memcpy
    without overflowing an individual member. Silences the false positive
    run-time warning:
    
      memcpy: detected field-spanning write (size 32) of single field "hk.kv_val" at drivers/net/wireless/ath/key.c:506 (size 16)
    
    Link: https://bbs.archlinux.org/viewtopic.php?id=282254
    Cc: Kalle Valo <kvalo@xxxxxxxxxx>
    Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
    Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
    Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
    Cc: linux-wireless@xxxxxxxxxxxxxxx
    Cc: netdev@xxxxxxxxxxxxxxx
    Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230210054310.never.554-kees@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h
index f083fb9038c36..f02a308a9ffc5 100644
--- a/drivers/net/wireless/ath/ath.h
+++ b/drivers/net/wireless/ath/ath.h
@@ -96,11 +96,13 @@ struct ath_keyval {
 	u8 kv_type;
 	u8 kv_pad;
 	u16 kv_len;
-	u8 kv_val[16]; /* TK */
-	u8 kv_mic[8]; /* Michael MIC key */
-	u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware
-			 * supports both MIC keys in the same key cache entry;
-			 * in that case, kv_mic is the RX key) */
+	struct_group(kv_values,
+		u8 kv_val[16]; /* TK */
+		u8 kv_mic[8]; /* Michael MIC key */
+		u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware
+				 * supports both MIC keys in the same key cache entry;
+				 * in that case, kv_mic is the RX key) */
+	);
 };
 
 enum ath_cipher {
diff --git a/drivers/net/wireless/ath/key.c b/drivers/net/wireless/ath/key.c
index 61b59a804e308..b7b61d4f02bae 100644
--- a/drivers/net/wireless/ath/key.c
+++ b/drivers/net/wireless/ath/key.c
@@ -503,7 +503,7 @@ int ath_key_config(struct ath_common *common,
 
 	hk.kv_len = key->keylen;
 	if (key->keylen)
-		memcpy(hk.kv_val, key->key, key->keylen);
+		memcpy(&hk.kv_values, key->key, key->keylen);
 
 	if (!(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
 		switch (vif->type) {



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux