From patchwork Tue Jun 20 10:07:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 13285565 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2BE5EB64D7 for ; Tue, 20 Jun 2023 10:10:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231540AbjFTKKe (ORCPT ); Tue, 20 Jun 2023 06:10:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231574AbjFTKKc (ORCPT ); Tue, 20 Jun 2023 06:10:32 -0400 Received: from forward101c.mail.yandex.net (forward101c.mail.yandex.net [178.154.239.212]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7CA1A3 for ; Tue, 20 Jun 2023 03:10:28 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net [IPv6:2a02:6b8:c14:c83:0:640:84f9:0]) by forward101c.mail.yandex.net (Yandex) with ESMTP id 18E2A600DC; Tue, 20 Jun 2023 13:09:48 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id d9eIllrDZ0U0-P5L736Pz; Tue, 20 Jun 2023 13:09:47 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1687255787; bh=HkCFXEEnrmStviwzT132w8G9XgVYgvZO3eEETWC5ipQ=; h=Message-ID:Date:Cc:Subject:To:From; b=KVuth/lCRErk4FPsqJuxEAuy6OZ+fRivkSS/1zCaqu4XarCGstj71mxwelX+1brLR 26AJ1FslZw89VAVRK+wMOwh9Xws+ZLU5FpPXL5dc3Zj0kTS3qnZ/CMixOO25MLyqdZ 6I+RtbVWfnQACHF0Drwe1NgXupimWxM7isdQRb7g= Authentication-Results: mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Christophe Jaillet Cc: Kalle Valo , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 1/2] [v2] wifi: mwifiex: avoid strlcpy() and use strscpy() where appropriate Date: Tue, 20 Jun 2023 13:07:36 +0300 Message-ID: <20230620100803.519926-1-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Prefer 'strscpy()' over unsafe 'strlcpy()' and 'strcpy()' in 'mwifiex_init_hw_fw()' and 'mwifiex_register_dev()', respectively. All other calls to 'strcpy(adapter->name, ...)' should be safe because the firmware name is a compile-time constant of known length and so guaranteed to fit into a destination buffer. Signed-off-by: Dmitry Antipov Reviewed-by: Brian Norris --- drivers/net/wireless/marvell/mwifiex/main.c | 11 +++-------- drivers/net/wireless/marvell/mwifiex/sdio.c | 4 +++- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c index ea22a08e6c08..64512b00e8b5 100644 --- a/drivers/net/wireless/marvell/mwifiex/main.c +++ b/drivers/net/wireless/marvell/mwifiex/main.c @@ -724,14 +724,9 @@ static int mwifiex_init_hw_fw(struct mwifiex_adapter *adapter, /* Override default firmware with manufacturing one if * manufacturing mode is enabled */ - if (mfg_mode) { - if (strlcpy(adapter->fw_name, MFG_FIRMWARE, - sizeof(adapter->fw_name)) >= - sizeof(adapter->fw_name)) { - pr_err("%s: fw_name too long!\n", __func__); - return -1; - } - } + if (mfg_mode) + strscpy(adapter->fw_name, MFG_FIRMWARE, + sizeof(adapter->fw_name)); if (req_fw_nowait) { ret = request_firmware_nowait(THIS_MODULE, 1, adapter->fw_name, diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c index a24bd40dd41a..a5d3128d7922 100644 --- a/drivers/net/wireless/marvell/mwifiex/sdio.c +++ b/drivers/net/wireless/marvell/mwifiex/sdio.c @@ -2483,7 +2483,9 @@ static int mwifiex_register_dev(struct mwifiex_adapter *adapter) if ((val & card->reg->host_strap_mask) == card->reg->host_strap_value) firmware = card->firmware_sdiouart; } - strcpy(adapter->fw_name, firmware); + ret = strscpy(adapter->fw_name, firmware, sizeof(adapter->fw_name)); + if (ret < 0) + return ret; if (card->fw_dump_enh) { adapter->mem_type_mapping_tbl = generic_mem_type_map; From patchwork Tue Jun 20 10:07:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 13285564 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40234EB64D7 for ; Tue, 20 Jun 2023 10:10:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231482AbjFTKKR (ORCPT ); Tue, 20 Jun 2023 06:10:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232060AbjFTKKB (ORCPT ); Tue, 20 Jun 2023 06:10:01 -0400 Received: from forward103b.mail.yandex.net (forward103b.mail.yandex.net [178.154.239.150]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0053BFC for ; Tue, 20 Jun 2023 03:09:57 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net [IPv6:2a02:6b8:c14:c83:0:640:84f9:0]) by forward103b.mail.yandex.net (Yandex) with ESMTP id 4869D6005A; Tue, 20 Jun 2023 13:09:51 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id d9eIllrDZ0U0-0DuOcOoj; Tue, 20 Jun 2023 13:09:50 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1687255790; bh=TdL1ODdSnmobHyWQ9cr10ORS2I4JdZUnqRsLqz3p2YU=; h=Cc:Message-ID:References:Date:In-Reply-To:Subject:To:From; b=qwlnT78Kwy94SHGwlRb7RufB+RA5JQiEJj74DjuwgcgR6iEFChbab3QrTEEpKKZST ql1TeL9hb6aK3OERH0Wv6XlxRg6WrfZRnnv6skL6mD3yWMbdL3hi73fw9CwWGNxlzX xEjFeqaFPx6iP/ftY1B2Ow9CHClwQ7vO+wj/ehog= Authentication-Results: mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Christophe Jaillet Cc: Kalle Valo , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 2/2] [v2] wifi: mwifiex: fix fortify warning Date: Tue, 20 Jun 2023 13:07:37 +0300 Message-ID: <20230620100803.519926-2-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230620100803.519926-1-dmantipov@yandex.ru> References: <20230620100803.519926-1-dmantipov@yandex.ru> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, I've noticed the following: In function ‘fortify_memcpy_chk’, inlined from ‘mwifiex_construct_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:765:3, inlined from ‘mwifiex_send_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:856:6: ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 529 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The compiler actually complains on: memmove(pos + ETH_ALEN, &mgmt->u.action.category, sizeof(mgmt->u.action.u.tdls_discover_resp)); and it happens because the fortification logic interprets this as an attempt to overread 1-byte 'u.action.category' member of 'struct ieee80211_mgmt'. To silence this warning, it's enough to pass an address of 'u.action' itself instead of an address of its first member. Signed-off-by: Dmitry Antipov Reviewed-by: Brian Norris --- drivers/net/wireless/marvell/mwifiex/tdls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c index 97bb87c3676b..5a2941965757 100644 --- a/drivers/net/wireless/marvell/mwifiex/tdls.c +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c @@ -762,7 +762,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, mgmt->u.action.u.tdls_discover_resp.capability = cpu_to_le16(capab); /* move back for addr4 */ - memmove(pos + ETH_ALEN, &mgmt->u.action.category, + memmove(pos + ETH_ALEN, &mgmt->u.action, sizeof(mgmt->u.action.u.tdls_discover_resp)); /* init address 4 */ eth_broadcast_addr(pos);