From nobody Tue May 5 10:13:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BCD0C433F5 for ; Sat, 28 May 2022 21:17:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230034AbiE1VQ6 (ORCPT ); Sat, 28 May 2022 17:16:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229660AbiE1VQz (ORCPT ); Sat, 28 May 2022 17:16:55 -0400 Received: from p-impout004.msg.pkvw.co.charter.net (p-impout004aa.msg.pkvw.co.charter.net [47.43.26.135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A83DDBC1D for ; Sat, 28 May 2022 14:16:54 -0700 (PDT) Received: from 2603-8090-2005-39b3-0000-0000-0000-100e.res6.spectrum.com.com ([24.31.246.181]) by cmsmtp with ESMTP id v3mLnd6IdgPEBv3mNnEtss; Sat, 28 May 2022 21:15:24 +0000 X-Authority-Analysis: v=2.4 cv=b8OhX/Kx c=1 sm=1 tr=0 ts=629290ec a=cAe/7qmlxnd6JlJqP68I9A==:117 a=cAe/7qmlxnd6JlJqP68I9A==:17 a=IkcTkHD0fZMA:10 a=yQdBAQUQAAAA:8 a=ag1SF4gXAAAA:8 a=trFUbqFmGWvzTRzaABQA:9 a=QEXdDO2ut3YA:10 a=SzazLyfi1tnkUD6oumHU:22 a=Yupwre4RP9_Eg_Bd0iYG:22 From: Larry Finger To: Linus Torvalds Cc: linux-kernel@vger.kernel.org, Larry Finger , Greg Kroah-Hartman Subject: [PATCH 1/2] staging: r8188eu: Fix warning of array overflow in ioctl_linux.c Date: Sat, 28 May 2022 16:14:51 -0500 Message-Id: <20220528211452.32134-2-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220528211452.32134-1-Larry.Finger@lwfinger.net> References: <20220528211452.32134-1-Larry.Finger@lwfinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfEjnjlCsUNQ/npLE95r0nZ9hwCv3p+ErZWc3AUtLno9KIFC3X2gscqkS9TaZX4GXD521d2Af1oG1OrDhJVUmGCuvC+I1cHD9dP3x2Lle4S3GAusxjlWq mx7PAc+mEjXFxUJ/TWXj0EAaP6S5lPFVUUNtEeUCw0//ThpL34L7klFwB1+FcUcwReJ451VTSbOcTS62BiDQ7tuhopxLPwS8vY4McsqSJffTh1BNQDgCd5+e JyBlnGutjb3ivvyu7OD5Kkwpm3Km2LBN37j6Pj+PUzjJ9CD6G/siDJ0f94R02/VB6WUZi8YCfVvZUberTacO1H6V0dct7kEdVIHSyGCRp/3q3ytdTf1TBq2d lSLa1d+zzvf+CenM97fyrLS5yE8u8gbeq3wXqPwvhfbuOBHey+o= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Building with -Warray-bounds results in the following warning plus others related to the same problem: CC [M] drivers/staging/r8188eu/os_dep/ioctl_linux.o In function =E2=80=98wpa_set_encryption=E2=80=99, inlined from =E2=80=98rtw_wx_set_enc_ext=E2=80=99 at drivers/staging/r8= 188eu/os_dep/ioctl_linux.c:1868:9: drivers/staging/r8188eu/os_dep/ioctl_linux.c:412:41: warning: array subscri= pt =E2=80=98struct ndis_802_11_wep[0]=E2=80=99 is partly outside array boun= ds of =E2=80=98void[25]=E2=80=99 [-Warray-bounds] 412 | pwep->KeyLength =3D wep_key_len; | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ In file included from drivers/staging/r8188eu/os_dep/../include/osdep_servi= ce.h:19, from drivers/staging/r8188eu/os_dep/ioctl_linux.c:4: In function =E2=80=98kmalloc=E2=80=99, inlined from =E2=80=98kzalloc=E2=80=99 at ./include/linux/slab.h:733:9, inlined from =E2=80=98wpa_set_encryption=E2=80=99 at drivers/staging/r8= 188eu/os_dep/ioctl_linux.c:408:11, inlined from =E2=80=98rtw_wx_set_enc_ext=E2=80=99 at drivers/staging/r8= 188eu/os_dep/ioctl_linux.c:1868:9: ./include/linux/slab.h:605:16: note: object of size [17, 25] allocated by = =E2=80=98__kmalloc=E2=80=99 605 | return __kmalloc(size, flags); | ^~~~~~~~~~~~~~~~~~~~~~ ./include/linux/slab.h:600:24: note: object of size [17, 25] allocated by = =E2=80=98kmem_cache_alloc_trace=E2=80=99 600 | return kmem_cache_alloc_trace( | ^~~~~~~~~~~~~~~~~~~~~~~ 601 | kmalloc_caches[kmalloc_type(flags)]= [index], | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~~~~~~~ 602 | flags, size); | ~~~~~~~~~~~~ Although it is unlikely that anyone is still using WEP encryption, the size of the allocation needs to be increased just in case. Fixes commit 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for = RTL8188eu driver") Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL818= 8eu driver") Signed-off-by: Larry Finger Cc: Greg Kroah-Hartman --- drivers/staging/r8188eu/os_dep/ioctl_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging= /r8188eu/os_dep/ioctl_linux.c index eb9375b0c660..ce3dcfc812e9 100644 --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c @@ -404,7 +404,7 @@ static int wpa_set_encryption(struct net_device *dev, s= truct ieee_param *param, =20 if (wep_key_len > 0) { wep_key_len =3D wep_key_len <=3D 5 ? 5 : 13; - wep_total_len =3D wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, Ke= yMaterial); + wep_total_len =3D wep_key_len + sizeof(*pwep); pwep =3D kzalloc(wep_total_len, GFP_KERNEL); if (!pwep) goto exit; --=20 2.36.1 From nobody Tue May 5 10:13:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C283FC433F5 for ; Sat, 28 May 2022 21:17:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230070AbiE1VRH (ORCPT ); Sat, 28 May 2022 17:17:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230043AbiE1VRA (ORCPT ); Sat, 28 May 2022 17:17:00 -0400 Received: from p-impout004.msg.pkvw.co.charter.net (p-impout004aa.msg.pkvw.co.charter.net [47.43.26.135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AD34BC22 for ; Sat, 28 May 2022 14:16:58 -0700 (PDT) Received: from 2603-8090-2005-39b3-0000-0000-0000-100e.res6.spectrum.com.com ([24.31.246.181]) by cmsmtp with ESMTP id v3mLnd6IdgPEBv3mRnEttK; Sat, 28 May 2022 21:15:27 +0000 X-Authority-Analysis: v=2.4 cv=b8OhX/Kx c=1 sm=1 tr=0 ts=629290ef a=cAe/7qmlxnd6JlJqP68I9A==:117 a=cAe/7qmlxnd6JlJqP68I9A==:17 a=IkcTkHD0fZMA:10 a=yQdBAQUQAAAA:8 a=ag1SF4gXAAAA:8 a=VTP6l_gzy7p3D2MEsWYA:9 a=QEXdDO2ut3YA:10 a=SzazLyfi1tnkUD6oumHU:22 a=Yupwre4RP9_Eg_Bd0iYG:22 From: Larry Finger To: Linus Torvalds Cc: linux-kernel@vger.kernel.org, Larry Finger Subject: [PATCH 2/2] staging: r8188eu: Fix undersized array in rtw_xmit.c Date: Sat, 28 May 2022 16:14:52 -0500 Message-Id: <20220528211452.32134-3-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220528211452.32134-1-Larry.Finger@lwfinger.net> References: <20220528211452.32134-1-Larry.Finger@lwfinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfCKOQQzV5sOO9cpih/JLzLJJTp15WGk9mISv+QgUqDYfcYI/tir+unI3M3xTKrn+NhGSR1B9rx2jBSbsr5NgAKU3m8jLxlCQOEMRkdVBjajeSaGfIyUD uxTCXA2QXgFpHviPswnrPca6aoa05TOG4Pjaa15BmU0Ut16Q0FSW6O24GRVm8bFJ3JgYBx7iVlaCGhmDKIP4e23ftSK/vBS8D6sbicjAdYIFirRVkINPxBoP oyP2Q31ravRqgLCYTZ9k3/wsDQ/W4Jd1WVDc6y8rW40BhngY+5TxiDOeAgLuzzujeRnq9pJDvWnLjZVzTtKCNGMi1o+4i4sUtmDIjVEGYqz+E9yLsHYFBVFS yHWhZELH Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Compiling with -warray-bounds yields the following warning: drivers/staging/r8188eu/core/rtw_xmit.c: In function =E2=80=98rtw_alloc_hwx= mits=E2=80=99: drivers/staging/r8188eu/core/rtw_xmit.c:1493:24: warning: array subscript 4= is outside array bounds of =E2=80=98void[64]=E2=80=99 [-Warray-bounds] 1493 | hwxmits[4] .sta_queue =3D &pxmitpriv->be_pending; | ~~~~~~~^~~ In file included from drivers/staging/r8188eu/core/../include/osdep_service= .h:19, from drivers/staging/r8188eu/core/rtw_xmit.c:6: In function =E2=80=98kmalloc=E2=80=99, inlined from =E2=80=98kzalloc=E2=80=99 at ./include/linux/slab.h:733:9, inlined from =E2=80=98rtw_alloc_hwxmits=E2=80=99 at drivers/staging/r81= 88eu/core/rtw_xmit.c:1484:23: ./include/linux/slab.h:600:24: note: at offset 64 into object of size 64 al= located by =E2=80=98kmem_cache_alloc_trace=E2=80=99 600 | return kmem_cache_alloc_trace( | ^~~~~~~~~~~~~~~~~~~~~~~ 601 | kmalloc_caches[kmalloc_type(flags)]= [index], | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~~~~~~~ 602 | flags, size); | This warning arises because macro HWXMIT_ENTRY is too small. Fixes commit 7884fc0a1473 ("staging: r8188eu: introduce new include dir for RTL8188eu driver") Fixes: 7884fc0a1473 ("staging: r8188eu: introduce new include dir for RTL81= 88eu driver") Signed-off-by: Larry Finger Greg Kroah-Hartman --- drivers/staging/r8188eu/include/rtw_xmit.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/r8188eu/include/rtw_xmit.h b/drivers/staging/r= 8188eu/include/rtw_xmit.h index b2df1480d66b..27fa536f51ee 100644 --- a/drivers/staging/r8188eu/include/rtw_xmit.h +++ b/drivers/staging/r8188eu/include/rtw_xmit.h @@ -69,7 +69,7 @@ do { \ dot11txpn.val =3D dot11txpn.val =3D=3D 0xffffffffffffULL ? 0 : (dot11txpn= .val+1);\ } while (0) =20 -#define HWXMIT_ENTRY 4 +#define HWXMIT_ENTRY 5 =20 #define TXDESC_SIZE 32 =20 --=20 2.36.1