cve/published/2024/CVE-2024-38616.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38616: wifi: carl9170: re-fix fortified-memset warning

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: carl9170: re-fix fortified-memset warning

 The carl9170_tx_release() function sometimes triggers a fortified-memset
 warning in my randconfig builds:

 In file included from include/linux/string.h:254,
                  from drivers/net/wireless/ath/carl9170/tx.c:40:
 In function 'fortify_memset_chk',
     inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2,
     inlined from 'kref_put' at include/linux/kref.h:65:3,
     inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9:
 include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
   493 |                         __write_overflow_field(p_size_field, size);

 Kees previously tried to avoid this by using memset_after(), but it seems
 this does not fully address the problem. I noticed that the memset_after()
 here is done on a different part of the union (status) than the original
 cast was from (rate_driver_data), which may confuse the compiler.

 Unfortunately, the memset_after() trick does not work on driver_rates[]
 because that is part of an anonymous struct, and I could not get
 struct_group() to do this either. Using two separate memset() calls
 on the two members does address the warning though.

 The Linux kernel CVE team has assigned CVE-2024-38616 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.1.93 with commit 13857683126e8a6492af73c74d702835f7a2175b
 	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.6.33 with commit 87586467098281f04fa93e59fe3a516b954bddc4
 	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.8.12 with commit 0c38c9c460bb8ce8d6f6cf316e0d71a70983ec83
 	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.9.3 with commit 042a39bb8e0812466327a5102606e88a5a4f8c02
 	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.10 with commit 066afafc10c9476ee36c47c9062527a17e763901

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38616
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/ath/carl9170/tx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/13857683126e8a6492af73c74d702835f7a2175b
 	https://git.kernel.org/stable/c/87586467098281f04fa93e59fe3a516b954bddc4
 	https://git.kernel.org/stable/c/0c38c9c460bb8ce8d6f6cf316e0d71a70983ec83
 	https://git.kernel.org/stable/c/042a39bb8e0812466327a5102606e88a5a4f8c02
 	https://git.kernel.org/stable/c/066afafc10c9476ee36c47c9062527a17e763901
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38616: wifi: carl9170: re-fix fortified-memset warning

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: carl9170: re-fix fortified-memset warning

	The carl9170_tx_release() function sometimes triggers a fortified-memset
	warning in my randconfig builds:

	In file included from include/linux/string.h:254,
	from drivers/net/wireless/ath/carl9170/tx.c:40:
	In function 'fortify_memset_chk',
	inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2,
	inlined from 'kref_put' at include/linux/kref.h:65:3,
	inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9:
	include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
	493 \| __write_overflow_field(p_size_field, size);

	Kees previously tried to avoid this by using memset_after(), but it seems
	this does not fully address the problem. I noticed that the memset_after()
	here is done on a different part of the union (status) than the original
	cast was from (rate_driver_data), which may confuse the compiler.

	Unfortunately, the memset_after() trick does not work on driver_rates[]
	because that is part of an anonymous struct, and I could not get
	struct_group() to do this either. Using two separate memset() calls
	on the two members does address the warning though.

	The Linux kernel CVE team has assigned CVE-2024-38616 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.1.93 with commit 13857683126e8a6492af73c74d702835f7a2175b
	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.6.33 with commit 87586467098281f04fa93e59fe3a516b954bddc4
	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.8.12 with commit 0c38c9c460bb8ce8d6f6cf316e0d71a70983ec83
	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.9.3 with commit 042a39bb8e0812466327a5102606e88a5a4f8c02
	Issue introduced in 5.17 with commit fb5f6a0e8063b7a84d6d44ef353846ccd7708d2e and fixed in 6.10 with commit 066afafc10c9476ee36c47c9062527a17e763901

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38616
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/ath/carl9170/tx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/13857683126e8a6492af73c74d702835f7a2175b
	https://git.kernel.org/stable/c/87586467098281f04fa93e59fe3a516b954bddc4
	https://git.kernel.org/stable/c/0c38c9c460bb8ce8d6f6cf316e0d71a70983ec83
	https://git.kernel.org/stable/c/042a39bb8e0812466327a5102606e88a5a4f8c02
	https://git.kernel.org/stable/c/066afafc10c9476ee36c47c9062527a17e763901