diff mbox series

[next] wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()

Message ID ZItSlzvIpjdjNfd8@work (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [next] wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point() | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 10 this patch: 10
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 10 this patch: 10
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Gustavo A. R. Silva June 15, 2023, 6:04 p.m. UTC
-Wstringop-overflow is legitimately warning us about extra_size
pontentially being zero at some point, hence potenially ending
up _allocating_ zero bytes of memory for extra pointer and then
trying to access such object in a call to copy_from_user().

Fix this by adding a sanity check to ensure we never end up
trying to allocate zero bytes of data for extra pointer, before
continue executing the rest of the code in the function.

Address the following -Wstringop-overflow warning seen when built
m68k architecture with allyesconfig configuration:
                 from net/wireless/wext-core.c:11:
In function '_copy_from_user',
    inlined from 'copy_from_user' at include/linux/uaccess.h:183:7,
    inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7:
arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
   48 | #define memset(d, c, n) __builtin_memset(d, c, n)
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/uaccess.h:153:17: note: in expansion of macro 'memset'
  153 |                 memset(to + (n - res), 0, res);
      |                 ^~~~~~
In function 'kmalloc',
    inlined from 'kzalloc' at include/linux/slab.h:694:9,
    inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10:
include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc'
  577 |         return __kmalloc(size, flags);
      |                ^~~~~~~~~~~~~~~~~~~~~~

This help with the ongoing efforts to globally enable
-Wstringop-overflow.

Link: https://github.com/KSPP/linux/issues/315
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 net/wireless/wext-core.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Simon Horman June 16, 2023, 8:42 a.m. UTC | #1
On Thu, Jun 15, 2023 at 12:04:07PM -0600, Gustavo A. R. Silva wrote:
> -Wstringop-overflow is legitimately warning us about extra_size
> pontentially being zero at some point, hence potenially ending

nit: checkpatch --codespell suggests: potenially -> potentially

> up _allocating_ zero bytes of memory for extra pointer and then
> trying to access such object in a call to copy_from_user().
> 
> Fix this by adding a sanity check to ensure we never end up
> trying to allocate zero bytes of data for extra pointer, before
> continue executing the rest of the code in the function.
> 
> Address the following -Wstringop-overflow warning seen when built
> m68k architecture with allyesconfig configuration:
>                  from net/wireless/wext-core.c:11:
> In function '_copy_from_user',
>     inlined from 'copy_from_user' at include/linux/uaccess.h:183:7,
>     inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7:
> arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
>    48 | #define memset(d, c, n) __builtin_memset(d, c, n)
>       |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/uaccess.h:153:17: note: in expansion of macro 'memset'
>   153 |                 memset(to + (n - res), 0, res);
>       |                 ^~~~~~
> In function 'kmalloc',
>     inlined from 'kzalloc' at include/linux/slab.h:694:9,
>     inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10:
> include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc'
>   577 |         return __kmalloc(size, flags);
>       |                ^~~~~~~~~~~~~~~~~~~~~~
> 
> This help with the ongoing efforts to globally enable
> -Wstringop-overflow.
> 
> Link: https://github.com/KSPP/linux/issues/315
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Reviewed-by: Simon Horman <simon.horman@corigine.com>
diff mbox series

Patch

diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index a125fd1fa134..a161c64d1765 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -815,6 +815,12 @@  static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
 		}
 	}
 
+	/* Sanity-check to ensure we never end up _allocating_ zero
+	 * bytes of data for extra.
+	 */
+	if (extra_size <= 0)
+		return -EFAULT;
+
 	/* kzalloc() ensures NULL-termination for essid_compat. */
 	extra = kzalloc(extra_size, GFP_KERNEL);
 	if (!extra)