From fce4bb5e80f974ab0de516745b3895d9b03740cf Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: May 25 2023 07:19:33 +0000 Subject: wifi: ath: Silence memcpy run-time false positive warning (git-fixes). --- diff --git a/patches.suse/wifi-ath-Silence-memcpy-run-time-false-positive-warn.patch b/patches.suse/wifi-ath-Silence-memcpy-run-time-false-positive-warn.patch new file mode 100644 index 0000000..a614972 --- /dev/null +++ b/patches.suse/wifi-ath-Silence-memcpy-run-time-false-positive-warn.patch @@ -0,0 +1,73 @@ +From bfcc8ba45eb87bfaaff900bbad2b87b204899d41 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 15 Feb 2023 20:31:38 +0200 +Subject: [PATCH] wifi: ath: Silence memcpy run-time false positive warning +Git-commit: bfcc8ba45eb87bfaaff900bbad2b87b204899d41 +Patch-mainline: v6.4-rc1 +References: git-fixes + +The memcpy() in ath_key_config() was attempting to write across +neighboring struct members in struct ath_keyval. Introduce a wrapping +struct_group, kv_values, to be the addressable target of the memcpy +without overflowing an individual member. Silences the false positive +run-time warning: + + memcpy: detected field-spanning write (size 32) of single field "hk.kv_val" at drivers/net/wireless/ath/key.c:506 (size 16) + +Link: https://bbs.archlinux.org/viewtopic.php?id=282254 +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230210054310.never.554-kees@kernel.org +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/ath/ath.h | 12 +++++++----- + drivers/net/wireless/ath/key.c | 2 +- + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h +index f083fb9038c3..f02a308a9ffc 100644 +--- a/drivers/net/wireless/ath/ath.h ++++ b/drivers/net/wireless/ath/ath.h +@@ -96,11 +96,13 @@ struct ath_keyval { + u8 kv_type; + u8 kv_pad; + u16 kv_len; +- u8 kv_val[16]; /* TK */ +- u8 kv_mic[8]; /* Michael MIC key */ +- u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware +- * supports both MIC keys in the same key cache entry; +- * in that case, kv_mic is the RX key) */ ++ struct_group(kv_values, ++ u8 kv_val[16]; /* TK */ ++ u8 kv_mic[8]; /* Michael MIC key */ ++ u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware ++ * supports both MIC keys in the same key cache entry; ++ * in that case, kv_mic is the RX key) */ ++ ); + }; + + enum ath_cipher { +diff --git a/drivers/net/wireless/ath/key.c b/drivers/net/wireless/ath/key.c +index 61b59a804e30..b7b61d4f02ba 100644 +--- a/drivers/net/wireless/ath/key.c ++++ b/drivers/net/wireless/ath/key.c +@@ -503,7 +503,7 @@ int ath_key_config(struct ath_common *common, + + hk.kv_len = key->keylen; + if (key->keylen) +- memcpy(hk.kv_val, key->key, key->keylen); ++ memcpy(&hk.kv_values, key->key, key->keylen); + + if (!(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) { + switch (vif->type) { +-- +2.35.3 + diff --git a/series.conf b/series.conf index 4283969..87efdc1 100644 --- a/series.conf +++ b/series.conf @@ -19913,6 +19913,7 @@ patches.suse/net-mana-Add-new-MANA-VF-performance-counters-for-ea.patch patches.suse/wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch patches.suse/wifi-ath6kl-minor-fix-for-allocation-size.patch + patches.suse/wifi-ath-Silence-memcpy-run-time-false-positive-warn.patch patches.suse/wifi-ath9k-hif_usb-fix-memory-leak-of-remain_skbs.patch patches.suse/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch patches.suse/wifi-ath6kl-reduce-WARN-to-dev_dbg-in-callback.patch