Patch "wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 683ebdf526ff6b7d1a58030e79ed32ee6779a0ac
Author: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
Date:   Thu Jun 15 12:04:07 2023 -0600

    wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
    
    [ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ]
    
    -Wstringop-overflow is legitimately warning us about extra_size
    pontentially being zero at some point, hence potenially ending
    up _allocating_ zero bytes of memory for extra pointer and then
    trying to access such object in a call to copy_from_user().
    
    Fix this by adding a sanity check to ensure we never end up
    trying to allocate zero bytes of data for extra pointer, before
    continue executing the rest of the code in the function.
    
    Address the following -Wstringop-overflow warning seen when built
    m68k architecture with allyesconfig configuration:
                     from net/wireless/wext-core.c:11:
    In function '_copy_from_user',
        inlined from 'copy_from_user' at include/linux/uaccess.h:183:7,
        inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7:
    arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
       48 | #define memset(d, c, n) __builtin_memset(d, c, n)
          |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
    include/linux/uaccess.h:153:17: note: in expansion of macro 'memset'
      153 |                 memset(to + (n - res), 0, res);
          |                 ^~~~~~
    In function 'kmalloc',
        inlined from 'kzalloc' at include/linux/slab.h:694:9,
        inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10:
    include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc'
      577 |         return __kmalloc(size, flags);
          |                ^~~~~~~~~~~~~~~~~~~~~~
    
    This help with the ongoing efforts to globally enable
    -Wstringop-overflow.
    
    Link: https://github.com/KSPP/linux/issues/315
    Signed-off-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
    Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index fe8765c4075d3..8a4b85f96a13a 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -799,6 +799,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
 		}
 	}
 
+	/* Sanity-check to ensure we never end up _allocating_ zero
+	 * bytes of data for extra.
+	 */
+	if (extra_size <= 0)
+		return -EFAULT;
+
 	/* kzalloc() ensures NULL-termination for essid_compat. */
 	extra = kzalloc(extra_size, GFP_KERNEL);
 	if (!extra)



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux