Gustavo A. R. Silva 7a4615b9a9 wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif() ... kmemdup() at line 2735 is not duplicating enough memory for notif->tid_tear_down and notif->station_id. As it only duplicates 612 bytes: up to offsetofend(struct iwl_wowlan_info_notif, received_beacons), this is the range of [0, 612) bytes. 2735 notif = kmemdup(notif_v1, 2736 offsetofend(struct iwl_wowlan_info_notif, 2737 received_beacons), 2738 GFP_ATOMIC); which evidently does not cover bytes 612 and 613 for members tid_tear_down and station_id in struct iwl_wowlan_info_notif. See below: $ pahole -C iwl_wowlan_info_notif drivers/net/wireless/intel/iwlwifi/mvm/d3.o struct iwl_wowlan_info_notif { struct iwl_wowlan_gtk_status_v3 gtk[2]; /* 0 488 */ /* --- cacheline 7 boundary (448 bytes) was 40 bytes ago --- */ struct iwl_wowlan_igtk_status igtk[2]; /* 488 80 */ /* --- cacheline 8 boundary (512 bytes) was 56 bytes ago --- */ __le64 replay_ctr; /* 568 8 */ /* --- cacheline 9 boundary (576 bytes) --- */ __le16 pattern_number; /* 576 2 */ __le16 reserved1; /* 578 2 */ __le16 qos_seq_ctr[8]; /* 580 16 */ __le32 wakeup_reasons; /* 596 4 */ __le32 num_of_gtk_rekeys; /* 600 4 */ __le32 transmitted_ndps; /* 604 4 */ __le32 received_beacons; /* 608 4 */ u8 tid_tear_down; /* 612 1 */ u8 station_id; /* 613 1 */ u8 reserved2[2]; /* 614 2 */ /* size: 616, cachelines: 10, members: 13 */ /* last cacheline: 40 bytes */ }; Therefore, when the following assignments take place, actually no memory has been allocated for those objects: 2743 notif->tid_tear_down = notif_v1->tid_tear_down; 2744 notif->station_id = notif_v1->station_id; Fix this by allocating space for the whole notif object and zero out the remaining space in memory after member station_id. This also fixes the following -Warray-bounds issues: CC drivers/net/wireless/intel/iwlwifi/mvm/d3.o drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’: drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2743:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=] 2743 | notif->tid_tear_down = notif_v1->tid_tear_down; | from drivers/net/wireless/intel/iwlwifi/mvm/d3.c:7: In function ‘kmemdup’, inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12: include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’ 765 | return __real_kmemdup(p, size, gfp); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function ‘iwl_mvm_wait_d3_notif’: drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2744:30: warning: array subscript ‘struct iwl_wowlan_info_notif[0]’ is partly outside array bounds of ‘unsigned char[612]’ [-Warray-bounds=] 2744 | notif->station_id = notif_v1->station_id; | ^~ In function ‘kmemdup’, inlined from ‘iwl_mvm_wait_d3_notif’ at drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2735:12: include/linux/fortify-string.h:765:16: note: object of size 612 allocated by ‘__real_kmemdup’ 765 | return __real_kmemdup(p, size, gfp); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link: https://github.com/KSPP/linux/issues/306 Fixes: 905d50ddbc ("wifi: iwlwifi: mvm: support wowlan info notification version 2") Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Acked-by: Gregory Greenman <gregory.greenman@intel.com> Link: https://lore.kernel.org/r/ZHpGN555FwAKGduH@work Signed-off-by: Johannes Berg <johannes.berg@intel.com>		2023-06-06 11:11:14 +02:00
..
cfg	wifi: iwlwifi: Update support for b0 version	2023-04-20 11:45:54 +02:00
dvm	wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace	2023-04-19 09:42:28 +02:00
fw	wifi: iwlwifi: fix OEM's name in the ppag approved list	2023-05-16 10:27:05 -07:00
mei	wifi: iwlwifi: mvm: fix RFKILL report when driver is going down	2023-04-20 11:45:55 +02:00
mvm	wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()	2023-06-06 11:11:14 +02:00
pcie	wifi: iwlwifi: Update support for b0 version	2023-04-20 11:45:54 +02:00
queue	wifi: iwlwifi: add a validity check of queue_id in iwl_txq_reclaim	2023-04-13 16:29:59 +02:00
iwl-agn-hw.h
iwl-config.h	wifi: iwlwifi: Update support for b0 version	2023-04-20 11:45:54 +02:00
iwl-context-info-gen3.h	wifi: iwlwifi: mvm: Support STEP equalizer settings from BIOS.	2023-01-30 13:00:19 +02:00
iwl-context-info.h
iwl-csr.h	wifi: iwlwifi: Add RF Step Type for BZ device	2023-04-14 13:15:26 +02:00
iwl-dbg-tlv.c	wifi: iwlwifi: move debug buffer allocation failure to info verbosity	2023-04-17 09:53:25 +02:00
iwl-dbg-tlv.h
iwl-debug.c	wifi: iwlwifi: debug: fix crash in __iwl_err()	2023-04-13 16:29:58 +02:00
iwl-debug.h
iwl-devtrace-data.h
iwl-devtrace-io.h
iwl-devtrace-iwlwifi.h
iwl-devtrace-msg.h	tracing/iwlwifi: Use the new __vstring() helper	2022-07-15 17:44:40 -04:00
iwl-devtrace-ucode.h
iwl-devtrace.c	wifi: iwlwifi: Avoid disabling GCC specific flag with clang	2023-03-16 08:51:56 +01:00
iwl-devtrace.h
iwl-drv.c	wifi: iwlwifi: mvm: allow number of beacons from FW	2023-04-17 09:53:25 +02:00
iwl-drv.h
iwl-eeprom-parse.c
iwl-eeprom-parse.h	wifi: iwlwifi: nvm: Update HE capabilities on 6GHz band for EHT device	2023-04-13 16:30:00 +02:00
iwl-eeprom-read.c
iwl-eeprom-read.h
iwl-fh.h
iwl-io.c
iwl-io.h
iwl-modparams.h	wifi: iwlwifi: mvm: Advertise EHT capabilities	2022-11-28 17:52:51 +02:00
iwl-nvm-parse.c	wifi: iwlwifi: nvm-parse: add full BW UL MU-MIMO support	2023-04-17 09:53:23 +02:00
iwl-nvm-parse.h
iwl-op-mode.h
iwl-phy-db.c
iwl-phy-db.h
iwl-prph.h	wifi: iwlwifi: Add RF Step Type for BZ device	2023-04-14 13:15:26 +02:00
iwl-scd.h
iwl-trans.c
iwl-trans.h	wifi: iwlwifi: Add RF Step Type for BZ device	2023-04-14 13:15:26 +02:00
Kconfig	wifi: iwlwifi: Mark IWLMEI as broken	2022-09-12 14:22:55 +03:00
Makefile