Patch "wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 1 Dec 2024 08:29:58 -0500

This is a note to let you know that I've just added the patch titled

    wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a62f2605baff8e64b5370467dcb0a4830eaea179
Author: Alper Nebi Yasak <alpernebiyasak@xxxxxxxxx>
Date:   Tue Oct 8 01:20:54 2024 +0300

    wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()
    
    [ Upstream commit d241a139c2e9f8a479f25c75ebd5391e6a448500 ]
    
    Replace one-element array with a flexible-array member in `struct
    mwifiex_ie_types_wildcard_ssid_params` to fix the following warning
    on a MT8173 Chromebook (mt8173-elm-hana):
    
    [  356.775250] ------------[ cut here ]------------
    [  356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)
    [  356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]
    
    The "(size 6)" above is exactly the length of the SSID of the network
    this device was connected to. The source of the warning looks like:
    
        ssid_len = user_scan_in->ssid_list[i].ssid_len;
        [...]
        memcpy(wildcard_ssid_tlv->ssid,
               user_scan_in->ssid_list[i].ssid, ssid_len);
    
    There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this
    struct, but it already didn't account for the size of the one-element
    array, so it doesn't need to be changed.
    
    Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
    Signed-off-by: Alper Nebi Yasak <alpernebiyasak@xxxxxxxxx>
    Acked-by: Brian Norris <briannorris@xxxxxxxxxxxx>
    Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxx>
    Link: https://patch.msgid.link/20241007222301.24154-1-alpernebiyasak@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
index 26979013ca52d..9c9fe5757b295 100644
--- a/drivers/net/wireless/marvell/mwifiex/fw.h
+++ b/drivers/net/wireless/marvell/mwifiex/fw.h
@@ -842,7 +842,7 @@ struct mwifiex_ietypes_chanstats {
 struct mwifiex_ie_types_wildcard_ssid_params {
 	struct mwifiex_ie_types_header header;
 	u8 max_ssid_length;
-	u8 ssid[1];
+	u8 ssid[];
 } __packed;
 
 #define TSF_DATA_SIZE            8







