Re: [PATCH] wifi: brcmfmac: p2p: Introduce generic flexible array frame member

[Linus Walleij]

On Wed, Feb 15, 2023 at 11:41 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:

> Silence run-time memcpy() false positive warning when processing
> management frames:
>
>   memcpy: detected field-spanning write (size 27) of single field "&mgmt_frame->u" at drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c:1469 (size 26)
>
> Due to this (soon to be fixed) GCC bug[1], FORTIFY_SOURCE (via
> __builtin_dynamic_object_size) doesn't recognize that the union may end
> with a flexible array, and returns "26" (the fixed size of the union),
> rather than the remaining size of the allocation. Add an explicit
> flexible array member and set it as the destination here, so that we
> get the correct coverage for the memcpy().
>
> [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101832
>
> Reported-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> Cc: Arend van Spriel <aspriel@xxxxxxxxx>
> Cc: Franky Lin <franky.lin@xxxxxxxxxxxx>
> Cc: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>
> Cc: Kalle Valo <kvalo@xxxxxxxxxx>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
> Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
> Cc: "Jason A. Donenfeld" <Jason@xxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: "Darrick J. Wong" <djwong@xxxxxxxxxx>
> Cc: Colin Ian King <colin.i.king@xxxxxxxxx>
> Cc: Brian Henriquez <brian.henriquez@xxxxxxxxxxx>
> Cc: linux-wireless@xxxxxxxxxxxxxxx
> Cc: brcm80211-dev-list.pdl@xxxxxxxxxxxx
> Cc: SHA-cyfmac-dev-list@xxxxxxxxxxxx
> Cc: netdev@xxxxxxxxxxxxxxx
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

Us having to deal with this kind of stuff is why we need Rust.

Thanks for doing this Kees,
Reviewed-by: Linus Walleij <linus.walleij@xxxxxxxxxx>

Yours,
Linus Walleij