proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2025-11-22 15:58:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a29e8b51a0
mirror_ubuntu-kernels/drivers/net/wireless/broadcom/brcm80211/brcmfmac
History
Hans de Goede 16e455a465 wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() 
Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
a backtrace caused by the following field-spanning warning:

memcpy: detected field-spanning write (size 120) of single field
  "&params_le->channel_list[0]" at
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)

The driver still works after this warning. The warning was introduced by the
new field-spanning write checks which were enabled recently.

Fix this by replacing the channel_list[1] declaration at the end of
the struct with a flexible array declaration.

Most users of struct brcmf_scan_params_le calculate the size to alloc
using the size of the non flex-array part of the struct + needed extra
space, so they do not care about sizeof(struct brcmf_scan_params_le).

brcmf_notify_escan_complete() however uses the struct on the stack,
expecting there to be room for at least 1 entry in the channel-list
to store the special -1 abort channel-id.

To make this work use an anonymous union with a padding member
added + the actual channel_list flexible array.

Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230729140500.27892-1-hdegoede@redhat.com
2023-08-02 13:34:16 +03:00
..
bca wifi: brcmfmac: introduce BRCMFMAC exported symbols namespace 2022-12-08 16:44:08 +02:00
cyw wifi: brcmfmac: introduce BRCMFMAC exported symbols namespace 2022-12-08 16:44:08 +02:00
wcc wifi: brcmfmac: wcc: Add debug messages 2023-05-15 21:25:11 +03:00
acpi.c wifi: brcmfmac: acpi: Add support for fetching Apple ACPI properties 2023-02-27 12:41:05 +02:00
bcdc.c brcmfmac: increase dcmd maximum buffer size 2022-09-27 09:09:07 +03:00
bcdc.h
bcmsdh.c wifi: brcmfmac: Check for probe() id argument being NULL 2023-05-15 21:18:42 +03:00
btcoex.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
btcoex.h
bus.h wifi: brcmfmac: common: Add support for downloading TxCap blobs 2023-02-27 16:59:36 +02:00
cfg80211.c wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() 2023-03-13 15:45:56 +02:00
cfg80211.h wifi: brcmfmac: Replace one-element array with flexible-array member 2023-02-13 18:52:33 +02:00
chip.c wifi: brcmfmac: Detect corner error case earlier with log 2023-06-08 19:00:00 +03:00
chip.h
common.c wifi: brcmfmac: common: Add support for external calibration blobs 2023-02-27 16:59:36 +02:00
common.h wifi: brcmfmac: common: Add support for external calibration blobs 2023-02-27 16:59:36 +02:00
commonring.c
commonring.h
core.c wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() 2022-12-22 18:07:22 +02:00
core.h wifi: brcmfmac: introduce BRCMFMAC exported symbols namespace 2022-12-08 16:44:08 +02:00
debug.c
debug.h
dmi.c wifi: brcmfmac: Add DMI nvram filename quirk for Chuwi Hi8 Pro tablet 2022-09-07 10:58:46 +03:00
feature.c wifi: brcmfmac: feature: Add support for setting feats based on WLC version 2023-02-27 16:59:35 +02:00
feature.h wifi: brcmfmac: feature: Add support for setting feats based on WLC version 2023-02-27 16:59:35 +02:00
firmware.c wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() 2022-11-04 12:58:48 +02:00
firmware.h wifi: brcmfmac: firmware: Support passing in multiple board_types 2022-09-19 12:59:33 +03:00
flowring.c wifi: brcmfmac: fix scheduling while atomic issue when deleting flowring 2022-08-10 08:47:22 +03:00
flowring.h
fweh.c wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() 2022-11-01 13:14:20 +02:00
fweh.h
fwil_types.h wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() 2023-08-02 13:34:16 +03:00
fwil.c
fwil.h
fwsignal.c wifi: move from strlcpy with unused retval to strscpy 2022-09-02 11:47:22 +03:00
fwsignal.h wifi: brcmfmac: Fix to add skb free for TIM update info when tx is completed 2022-08-10 08:47:22 +03:00
fwvid.c wifi: brcmfmac: introduce BRCMFMAC exported symbols namespace 2022-12-08 16:44:08 +02:00
fwvid.h wifi: brcmfmac: add vendor name in revinfo debugfs file 2022-12-08 16:44:08 +02:00
Kconfig
Makefile wifi: brcmfmac: acpi: Add support for fetching Apple ACPI properties 2023-02-27 12:41:05 +02:00
msgbuf.c wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() 2022-12-22 18:09:14 +02:00
msgbuf.h wifi: brcmfmac: msgbuf: Increase RX ring sizes to 1024 2022-09-19 12:59:34 +03:00
of.c net: Use of_property_present() for testing DT property presence 2023-03-13 17:07:52 -07:00
of.h
p2p.c wifi: brcmfmac: p2p: Introduce generic flexible array frame member 2023-02-16 09:33:25 +01:00
p2p.h
pcie.c wifi: brcmfmac: Check for probe() id argument being NULL 2023-05-15 21:18:42 +03:00
pcie.h
pno.c wifi: brcmfmac: Use struct_size() and array_size() in code ralated to struct brcmf_gscan_config 2022-11-22 12:13:47 +02:00
pno.h
proto.c
proto.h
sdio.c wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() 2022-12-08 16:46:32 +02:00
sdio.h wifi: brcmfmac: Fix SDIO suspend/resume regression 2023-03-31 18:00:34 +03:00
tracepoint.c
tracepoint.h wifi: brcmfmac: fix gnu_printf warnings 2023-06-16 12:24:15 +03:00
usb.c wifi: brcmfmac: Check for probe() id argument being NULL 2023-05-15 21:18:42 +03:00
usb.h
vendor.c
vendor.h
xtlv.c
xtlv.h