Re: [PATCH] evh_bytechan: fix out of bounds accesses
From: Michael Ellerman <hidden>
Date: 2020-03-17 13:25:53
On Thu, 2020-01-09 at 07:39:12 UTC, Stephen Rothwell wrote:
ev_byte_channel_send() assumes that its third argument is a 16 byte array.
Some places where it is called it may not be (or we can't easily tell
if it is). Newer compilers have started producing warnings about this,
so make sure we actually pass a 16 byte array.
There may be more elegant solutions to this, but the driver is quite
old and hasn't been updated in many years.
The warnings (from a powerpc allyesconfig build) are:
In file included from include/linux/byteorder/big_endian.h:5,
from arch/powerpc/include/uapi/asm/byteorder.h:14,
from include/asm-generic/bitops/le.h:6,
from arch/powerpc/include/asm/bitops.h:250,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from include/asm-generic/bug.h:19,
from arch/powerpc/include/asm/bug.h:109,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/gfp.h:5,
from include/linux/slab.h:15,
from drivers/tty/ehv_bytechan.c:24:
drivers/tty/ehv_bytechan.c: In function =E2=80=98ehv_bc_udbg_putc=E2=80=99:
arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 =
is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
298 | r6 =3D be32_to_cpu(p[1]);
include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
ro =E2=80=98__be32_to_cpu=E2=80=99
40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
| ^
arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro =
=E2=80=98be32_to_cpu=E2=80=99
298 | r6 =3D be32_to_cpu(p[1]);
| ^~~~~~~~~~~
drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
=80=99
166 | static void ehv_bc_udbg_putc(char c)
| ^~~~~~~~~~~~~~~~
In file included from include/linux/byteorder/big_endian.h:5,
from arch/powerpc/include/uapi/asm/byteorder.h:14,
from include/asm-generic/bitops/le.h:6,
from arch/powerpc/include/asm/bitops.h:250,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from include/asm-generic/bug.h:19,
from arch/powerpc/include/asm/bug.h:109,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/gfp.h:5,
from include/linux/slab.h:15,
from drivers/tty/ehv_bytechan.c:24:
arch/powerpc/include/asm/epapr_hcalls.h:299:20: warning: array subscript 2 =
is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
299 | r7 =3D be32_to_cpu(p[2]);
include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
ro =E2=80=98__be32_to_cpu=E2=80=99
40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
| ^
arch/powerpc/include/asm/epapr_hcalls.h:299:7: note: in expansion of macro =
=E2=80=98be32_to_cpu=E2=80=99
299 | r7 =3D be32_to_cpu(p[2]);
| ^~~~~~~~~~~
drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
=80=99
166 | static void ehv_bc_udbg_putc(char c)
| ^~~~~~~~~~~~~~~~
In file included from include/linux/byteorder/big_endian.h:5,
from arch/powerpc/include/uapi/asm/byteorder.h:14,
from include/asm-generic/bitops/le.h:6,
from arch/powerpc/include/asm/bitops.h:250,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from include/asm-generic/bug.h:19,
from arch/powerpc/include/asm/bug.h:109,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/gfp.h:5,
from include/linux/slab.h:15,
from drivers/tty/ehv_bytechan.c:24:
arch/powerpc/include/asm/epapr_hcalls.h:300:20: warning: array subscript 3 =
is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
300 | r8 =3D be32_to_cpu(p[3]);
include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
ro =E2=80=98__be32_to_cpu=E2=80=99
40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
| ^
arch/powerpc/include/asm/epapr_hcalls.h:300:7: note: in expansion of macro =
=E2=80=98be32_to_cpu=E2=80=99
300 | r8 =3D be32_to_cpu(p[3]);
| ^~~~~~~~~~~
drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
=80=99
166 | static void ehv_bc_udbg_putc(char c)
| ^~~~~~~~~~~~~~~~
In file included from include/linux/byteorder/big_endian.h:5,
from arch/powerpc/include/uapi/asm/byteorder.h:14,
from include/asm-generic/bitops/le.h:6,
from arch/powerpc/include/asm/bitops.h:250,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from include/asm-generic/bug.h:19,
from arch/powerpc/include/asm/bug.h:109,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/gfp.h:5,
from include/linux/slab.h:15,
from drivers/tty/ehv_bytechan.c:24:
arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 =
is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
298 | r6 =3D be32_to_cpu(p[1]);
include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
ro =E2=80=98__be32_to_cpu=E2=80=99
40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
| ^
arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro =
=E2=80=98be32_to_cpu=E2=80=99
298 | r6 =3D be32_to_cpu(p[1]);
| ^~~~~~~~~~~
drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
=80=99
166 | static void ehv_bc_udbg_putc(char c)
| ^~~~~~~~~~~~~~~~
In file included from include/linux/byteorder/big_endian.h:5,
from arch/powerpc/include/uapi/asm/byteorder.h:14,
from include/asm-generic/bitops/le.h:6,
from arch/powerpc/include/asm/bitops.h:250,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from include/asm-generic/bug.h:19,
from arch/powerpc/include/asm/bug.h:109,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/gfp.h:5,
from include/linux/slab.h:15,
from drivers/tty/ehv_bytechan.c:24:
arch/powerpc/include/asm/epapr_hcalls.h:299:20: warning: array subscript 2 =
is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
299 | r7 =3D be32_to_cpu(p[2]);
include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
ro =E2=80=98__be32_to_cpu=E2=80=99
40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
| ^
arch/powerpc/include/asm/epapr_hcalls.h:299:7: note: in expansion of macro =
=E2=80=98be32_to_cpu=E2=80=99
299 | r7 =3D be32_to_cpu(p[2]);
| ^~~~~~~~~~~
drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
=80=99
166 | static void ehv_bc_udbg_putc(char c)
| ^~~~~~~~~~~~~~~~
In file included from include/linux/byteorder/big_endian.h:5,
from arch/powerpc/include/uapi/asm/byteorder.h:14,
from include/asm-generic/bitops/le.h:6,
from arch/powerpc/include/asm/bitops.h:250,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from include/asm-generic/bug.h:19,
from arch/powerpc/include/asm/bug.h:109,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/gfp.h:5,
from include/linux/slab.h:15,
from drivers/tty/ehv_bytechan.c:24:
arch/powerpc/include/asm/epapr_hcalls.h:300:20: warning: array subscript 3 =
is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
300 | r8 =3D be32_to_cpu(p[3]);
include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
ro =E2=80=98__be32_to_cpu=E2=80=99
40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
| ^
arch/powerpc/include/asm/epapr_hcalls.h:300:7: note: in expansion of macro =
=E2=80=98be32_to_cpu=E2=80=99
300 | r8 =3D be32_to_cpu(p[3]);
| ^~~~~~~~~~~
drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
=80=99
166 | static void ehv_bc_udbg_putc(char c)
| ^~~~~~~~~~~~~~~~
Fixes: dcd83aaff1c8 ("tty/powerpc: introduce the ePAPR embedded hypervisor =
byte channel driver")
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PowerPC Mailing List <redacted>
Signed-off-by: Stephen Rothwell <redacted>Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/3670664b5da555a2a481449b3baafff113b0ac35 cheers