| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Jun 2023 11:36:14 -0600
From: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To: Kees Cook <keescook@...omium.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Gregory Greenman <gregory.greenman@...el.com>,
Kalle Valo <kvalo@...nel.org>,
Haim Dreyfuss <haim.dreyfuss@...el.com>,
Johannes Berg <johannes.berg@...el.com>,
linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] wifi: iwlwifi: mvm: Fix -Warray-bounds bug in
iwl_mvm_wait_d3_notif()
On 6/5/23 19:03, Kees Cook wrote:
>>
>> Link: https://github.com/KSPP/linux/issues/306
>> Fixes: 905d50ddbc83 ("wifi: iwlwifi: mvm: support wowlan info notification version 2")
>> Cc: stable@...r.kernel.org
>> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
>
> Nice catch!
(dancy-dance):D
,
>> if (wowlan_info_ver < 2) {
>> struct iwl_wowlan_info_notif_v1 *notif_v1 = (void *)pkt->data;
>>
>> - notif = kmemdup(notif_v1,
>> - offsetofend(struct iwl_wowlan_info_notif,
>> - received_beacons),
>> - GFP_ATOMIC);
>> -
>> + notif = kmemdup(notif_v1, sizeof(*notif), GFP_ATOMIC);
>
> The only question I have here is whether or not pkt->data actually
> contains sizeof(*notif)-many bytes? It seems the length isn't checked
> until after this area:
>
> len = iwl_rx_packet_payload_len(pkt);
>
> So, perhaps this needs to be changed instead, and the length
> double-checked, etc. Perhaps a regular kzalloc + memcpy is needed to
> handle pkt->data not being large enough?
As per Gregory's reply, it seems that the length is just fine.
Thanks
--
Gustavo
Powered by blists - more mailing lists