From nobody Sun May 3 11:14:31 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAD3EC433EF for ; Sun, 29 May 2022 00:47:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230167AbiE2Arc (ORCPT ); Sat, 28 May 2022 20:47:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55326 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229798AbiE2ArZ (ORCPT ); Sat, 28 May 2022 20:47:25 -0400 Received: from p-impout003.msg.pkvw.co.charter.net (p-impout003aa.msg.pkvw.co.charter.net [47.43.26.134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1FB136B75 for ; Sat, 28 May 2022 17:47:24 -0700 (PDT) Received: from 2603-8090-2005-39b3-0000-0000-0000-100e.res6.spectrum.com.com ([24.31.246.181]) by cmsmtp with ESMTP id v75WnJjj4R0wIv75XnCgk9; Sun, 29 May 2022 00:47:23 +0000 X-Authority-Analysis: v=2.4 cv=FYAkeby6 c=1 sm=1 tr=0 ts=6292c29b a=cAe/7qmlxnd6JlJqP68I9A==:117 a=cAe/7qmlxnd6JlJqP68I9A==:17 a=IkcTkHD0fZMA:10 a=yQdBAQUQAAAA:8 a=JKArFDfnAAAA:8 a=trFUbqFmGWvzTRzaABQA:9 a=QEXdDO2ut3YA:10 a=SzazLyfi1tnkUD6oumHU:22 a=8HTcXXoeXT8DLsUt73VG:22 From: Larry Finger To: gregkh@linuxfoundation.org Cc: phil@philpotter.co.uk, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Larry Finger Subject: [PATCH v2 1/2] staging: r8188eu: Fix warning of array overflow in ioctl_linux.c Date: Sat, 28 May 2022 19:47:10 -0500 Message-Id: <20220529004711.27545-2-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220529004711.27545-1-Larry.Finger@lwfinger.net> References: <20220529004711.27545-1-Larry.Finger@lwfinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfNJmB+gcPpnZ8Dr4CUPFbiyGhAvY0LuZZesniX76hpu730ddl8S602W6MZVfRKfTL8ZaBPbXf3lslB14IbqACkFYxzHDdjydHeVonXBuTQYP2BVklI0C 7dSGdPvsV8vU//rHyUbn8mbynLYQSxNHM6nK5Ugj3TxsX6wRvlCY2PM17cH10WmuRyIdesdkW1G52R4R9n2zLMjhPSnSRbv81gTV1BYy5sfNHirnk1GQuCbJ tMlsk/cOwqSSbDwjSpzpIzKkN2CkUXtVMAMJsS+3IYu65dqAHG38OO19/BXTaHaTfuQcWMHI1aTv3FwIfqmN6892ZC1gTJgNUktUZ5fTuFAVOhYq7MCY0bzM 5xbqz0V5UpXkLMMFbrPClchndm0JzDZtnjTH7aMX/dimAL5xdk36pGlskV2Vvm42e/Mw1lGD Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Building with -Warray-bounds results in the following warning plus others related to the same problem: CC [M] drivers/staging/r8188eu/os_dep/ioctl_linux.o In function =E2=80=98wpa_set_encryption=E2=80=99, inlined from =E2=80=98rtw_wx_set_enc_ext=E2=80=99 at drivers/staging/r8= 188eu/os_dep/ioctl_linux.c:1868:9: drivers/staging/r8188eu/os_dep/ioctl_linux.c:412:41: warning: array subscri= pt =E2=80=98struct ndis_802_11_wep[0]=E2=80=99 is partly outside array boun= ds of =E2=80=98void[25]=E2=80=99 [-Warray-bounds] 412 | pwep->KeyLength =3D wep_key_len; | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ In file included from drivers/staging/r8188eu/os_dep/../include/osdep_servi= ce.h:19, from drivers/staging/r8188eu/os_dep/ioctl_linux.c:4: In function =E2=80=98kmalloc=E2=80=99, inlined from =E2=80=98kzalloc=E2=80=99 at ./include/linux/slab.h:733:9, inlined from =E2=80=98wpa_set_encryption=E2=80=99 at drivers/staging/r8= 188eu/os_dep/ioctl_linux.c:408:11, inlined from =E2=80=98rtw_wx_set_enc_ext=E2=80=99 at drivers/staging/r8= 188eu/os_dep/ioctl_linux.c:1868:9: ./include/linux/slab.h:605:16: note: object of size [17, 25] allocated by = =E2=80=98__kmalloc=E2=80=99 605 | return __kmalloc(size, flags); | ^~~~~~~~~~~~~~~~~~~~~~ ./include/linux/slab.h:600:24: note: object of size [17, 25] allocated by = =E2=80=98kmem_cache_alloc_trace=E2=80=99 600 | return kmem_cache_alloc_trace( | ^~~~~~~~~~~~~~~~~~~~~~~ 601 | kmalloc_caches[kmalloc_type(flags)]= [index], | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~~~~~~~ 602 | flags, size); | ~~~~~~~~~~~~ Although it is unlikely that anyone is still using WEP encryption, the size of the allocation needs to be increased just in case. Fixes commit 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for = RTL8188eu driver") Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL818= 8eu driver") Signed-off-by: Larry Finger Cc: Phillip Potter --- v2 - Get To and Cc right --- drivers/staging/r8188eu/os_dep/ioctl_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging= /r8188eu/os_dep/ioctl_linux.c index eb9375b0c660..ce3dcfc812e9 100644 --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c @@ -404,7 +404,7 @@ static int wpa_set_encryption(struct net_device *dev, s= truct ieee_param *param, =20 if (wep_key_len > 0) { wep_key_len =3D wep_key_len <=3D 5 ? 5 : 13; - wep_total_len =3D wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, Ke= yMaterial); + wep_total_len =3D wep_key_len + sizeof(*pwep); pwep =3D kzalloc(wep_total_len, GFP_KERNEL); if (!pwep) goto exit; --=20 2.36.1 From nobody Sun May 3 11:14:31 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 738D9C433F5 for ; Sun, 29 May 2022 00:47:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230175AbiE2Arf (ORCPT ); Sat, 28 May 2022 20:47:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229987AbiE2Ar0 (ORCPT ); Sat, 28 May 2022 20:47:26 -0400 Received: from p-impout003.msg.pkvw.co.charter.net (p-impout003aa.msg.pkvw.co.charter.net [47.43.26.134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 357B93D48C for ; Sat, 28 May 2022 17:47:24 -0700 (PDT) Received: from 2603-8090-2005-39b3-0000-0000-0000-100e.res6.spectrum.com.com ([24.31.246.181]) by cmsmtp with ESMTP id v75WnJjj4R0wIv75YnCgkG; Sun, 29 May 2022 00:47:24 +0000 X-Authority-Analysis: v=2.4 cv=FYAkeby6 c=1 sm=1 tr=0 ts=6292c29c a=cAe/7qmlxnd6JlJqP68I9A==:117 a=cAe/7qmlxnd6JlJqP68I9A==:17 a=IkcTkHD0fZMA:10 a=yQdBAQUQAAAA:8 a=JKArFDfnAAAA:8 a=VTP6l_gzy7p3D2MEsWYA:9 a=QEXdDO2ut3YA:10 a=SzazLyfi1tnkUD6oumHU:22 a=8HTcXXoeXT8DLsUt73VG:22 From: Larry Finger To: gregkh@linuxfoundation.org Cc: phil@philpotter.co.uk, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Larry Finger Subject: [PATCH v2 2/2] staging: r8188eu: Fix undersized array in rtw_xmit.c Date: Sat, 28 May 2022 19:47:11 -0500 Message-Id: <20220529004711.27545-3-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220529004711.27545-1-Larry.Finger@lwfinger.net> References: <20220529004711.27545-1-Larry.Finger@lwfinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfBKE2TuOLmmE4iRaCahmKirQKcHxNQba3yni2AnYY3sRB9Z6s4176PmU+x1QvTL0jBJAwzBvJONo6nPGTfkkvGmwwJutpDH4XKBDRl6OaWi95jsrIS/v he7mB6PWjnFNoWX7bkNw29EE4X1OiSACSp35II6G+BLTfXVxEN+NZXASA1t3HaYwA4KH7vPSc1m0HDyUb3AEZuwFvgFePU2xgDBUbss7IrtHJsdxE3TiA5Hc Olc9j4A1Qti0sWQMjXmodalMcskiO9B2cI4qU+aBiUVEC3DBroO7CJu6im1oFJDMGY/PtBI1IpNg7csYoyrrLUV/kubyspsC94MRebh8GX/rk0hcpiusXKBG PQo9ut/KAF1BMw5hBpQnezKl2h24dMLvYhq2vMSt9lZ5ByqutRmF16E7URSEFVnCbup9Mxx6 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Compiling with -warray-bounds yields the following warning: drivers/staging/r8188eu/core/rtw_xmit.c: In function =E2=80=98rtw_alloc_hwx= mits=E2=80=99: drivers/staging/r8188eu/core/rtw_xmit.c:1493:24: warning: array subscript 4= is outside array bounds of =E2=80=98void[64]=E2=80=99 [-Warray-bounds] 1493 | hwxmits[4] .sta_queue =3D &pxmitpriv->be_pending; | ~~~~~~~^~~ In file included from drivers/staging/r8188eu/core/../include/osdep_service= .h:19, from drivers/staging/r8188eu/core/rtw_xmit.c:6: In function =E2=80=98kmalloc=E2=80=99, inlined from =E2=80=98kzalloc=E2=80=99 at ./include/linux/slab.h:733:9, inlined from =E2=80=98rtw_alloc_hwxmits=E2=80=99 at drivers/staging/r81= 88eu/core/rtw_xmit.c:1484:23: ./include/linux/slab.h:600:24: note: at offset 64 into object of size 64 al= located by =E2=80=98kmem_cache_alloc_trace=E2=80=99 600 | return kmem_cache_alloc_trace( | ^~~~~~~~~~~~~~~~~~~~~~~ 601 | kmalloc_caches[kmalloc_type(flags)]= [index], | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~~~~~~~ 602 | flags, size); | This warning arises because macro HWXMIT_ENTRY is too small. Fixes commit 7884fc0a1473 ("staging: r8188eu: introduce new include dir for RTL8188eu driver") Fixes: 7884fc0a1473 ("staging: r8188eu: introduce new include dir for RTL81= 88eu driver") Signed-off-by: Larry Finger Cc: Phillip Potter --- v2 =3D Get To and Cc right --- drivers/staging/r8188eu/include/rtw_xmit.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/r8188eu/include/rtw_xmit.h b/drivers/staging/r= 8188eu/include/rtw_xmit.h index b2df1480d66b..27fa536f51ee 100644 --- a/drivers/staging/r8188eu/include/rtw_xmit.h +++ b/drivers/staging/r8188eu/include/rtw_xmit.h @@ -69,7 +69,7 @@ do { \ dot11txpn.val =3D dot11txpn.val =3D=3D 0xffffffffffffULL ? 0 : (dot11txpn= .val+1);\ } while (0) =20 -#define HWXMIT_ENTRY 4 +#define HWXMIT_ENTRY 5 =20 #define TXDESC_SIZE 32 =20 --=20 2.36.1