[PATCH] evh_bytechan: fix out of bounds accesses
Michael Ellerman
patch-notifications at ellerman.id.au
Wed Mar 18 00:14:37 AEDT 2020
On Thu, 2020-01-09 at 07:39:12 UTC, Stephen Rothwell wrote:
> ev_byte_channel_send() assumes that its third argument is a 16 byte array.
> Some places where it is called it may not be (or we can't easily tell
> if it is). Newer compilers have started producing warnings about this,
> so make sure we actually pass a 16 byte array.
>
> There may be more elegant solutions to this, but the driver is quite
> old and hasn't been updated in many years.
>
> The warnings (from a powerpc allyesconfig build) are:
>
> In file included from include/linux/byteorder/big_endian.h:5,
> from arch/powerpc/include/uapi/asm/byteorder.h:14,
> from include/asm-generic/bitops/le.h:6,
> from arch/powerpc/include/asm/bitops.h:250,
> from include/linux/bitops.h:29,
> from include/linux/kernel.h:12,
> from include/asm-generic/bug.h:19,
> from arch/powerpc/include/asm/bug.h:109,
> from include/linux/bug.h:5,
> from include/linux/mmdebug.h:5,
> from include/linux/gfp.h:5,
> from include/linux/slab.h:15,
> from drivers/tty/ehv_bytechan.c:24:
> drivers/tty/ehv_bytechan.c: In function =E2=80=98ehv_bc_udbg_putc=E2=80=99:
> arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 =
> is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
> 298 | r6 =3D be32_to_cpu(p[1]);
> include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
> ro =E2=80=98__be32_to_cpu=E2=80=99
> 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
> | ^
> arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro =
> =E2=80=98be32_to_cpu=E2=80=99
> 298 | r6 =3D be32_to_cpu(p[1]);
> | ^~~~~~~~~~~
> drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
> =80=99
> 166 | static void ehv_bc_udbg_putc(char c)
> | ^~~~~~~~~~~~~~~~
> In file included from include/linux/byteorder/big_endian.h:5,
> from arch/powerpc/include/uapi/asm/byteorder.h:14,
> from include/asm-generic/bitops/le.h:6,
> from arch/powerpc/include/asm/bitops.h:250,
> from include/linux/bitops.h:29,
> from include/linux/kernel.h:12,
> from include/asm-generic/bug.h:19,
> from arch/powerpc/include/asm/bug.h:109,
> from include/linux/bug.h:5,
> from include/linux/mmdebug.h:5,
> from include/linux/gfp.h:5,
> from include/linux/slab.h:15,
> from drivers/tty/ehv_bytechan.c:24:
> arch/powerpc/include/asm/epapr_hcalls.h:299:20: warning: array subscript 2 =
> is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
> 299 | r7 =3D be32_to_cpu(p[2]);
> include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
> ro =E2=80=98__be32_to_cpu=E2=80=99
> 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
> | ^
> arch/powerpc/include/asm/epapr_hcalls.h:299:7: note: in expansion of macro =
> =E2=80=98be32_to_cpu=E2=80=99
> 299 | r7 =3D be32_to_cpu(p[2]);
> | ^~~~~~~~~~~
> drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
> =80=99
> 166 | static void ehv_bc_udbg_putc(char c)
> | ^~~~~~~~~~~~~~~~
> In file included from include/linux/byteorder/big_endian.h:5,
> from arch/powerpc/include/uapi/asm/byteorder.h:14,
> from include/asm-generic/bitops/le.h:6,
> from arch/powerpc/include/asm/bitops.h:250,
> from include/linux/bitops.h:29,
> from include/linux/kernel.h:12,
> from include/asm-generic/bug.h:19,
> from arch/powerpc/include/asm/bug.h:109,
> from include/linux/bug.h:5,
> from include/linux/mmdebug.h:5,
> from include/linux/gfp.h:5,
> from include/linux/slab.h:15,
> from drivers/tty/ehv_bytechan.c:24:
> arch/powerpc/include/asm/epapr_hcalls.h:300:20: warning: array subscript 3 =
> is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
> 300 | r8 =3D be32_to_cpu(p[3]);
> include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
> ro =E2=80=98__be32_to_cpu=E2=80=99
> 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
> | ^
> arch/powerpc/include/asm/epapr_hcalls.h:300:7: note: in expansion of macro =
> =E2=80=98be32_to_cpu=E2=80=99
> 300 | r8 =3D be32_to_cpu(p[3]);
> | ^~~~~~~~~~~
> drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
> =80=99
> 166 | static void ehv_bc_udbg_putc(char c)
> | ^~~~~~~~~~~~~~~~
> In file included from include/linux/byteorder/big_endian.h:5,
> from arch/powerpc/include/uapi/asm/byteorder.h:14,
> from include/asm-generic/bitops/le.h:6,
> from arch/powerpc/include/asm/bitops.h:250,
> from include/linux/bitops.h:29,
> from include/linux/kernel.h:12,
> from include/asm-generic/bug.h:19,
> from arch/powerpc/include/asm/bug.h:109,
> from include/linux/bug.h:5,
> from include/linux/mmdebug.h:5,
> from include/linux/gfp.h:5,
> from include/linux/slab.h:15,
> from drivers/tty/ehv_bytechan.c:24:
> arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 =
> is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
> 298 | r6 =3D be32_to_cpu(p[1]);
> include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
> ro =E2=80=98__be32_to_cpu=E2=80=99
> 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
> | ^
> arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro =
> =E2=80=98be32_to_cpu=E2=80=99
> 298 | r6 =3D be32_to_cpu(p[1]);
> | ^~~~~~~~~~~
> drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
> =80=99
> 166 | static void ehv_bc_udbg_putc(char c)
> | ^~~~~~~~~~~~~~~~
> In file included from include/linux/byteorder/big_endian.h:5,
> from arch/powerpc/include/uapi/asm/byteorder.h:14,
> from include/asm-generic/bitops/le.h:6,
> from arch/powerpc/include/asm/bitops.h:250,
> from include/linux/bitops.h:29,
> from include/linux/kernel.h:12,
> from include/asm-generic/bug.h:19,
> from arch/powerpc/include/asm/bug.h:109,
> from include/linux/bug.h:5,
> from include/linux/mmdebug.h:5,
> from include/linux/gfp.h:5,
> from include/linux/slab.h:15,
> from drivers/tty/ehv_bytechan.c:24:
> arch/powerpc/include/asm/epapr_hcalls.h:299:20: warning: array subscript 2 =
> is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
> 299 | r7 =3D be32_to_cpu(p[2]);
> include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
> ro =E2=80=98__be32_to_cpu=E2=80=99
> 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
> | ^
> arch/powerpc/include/asm/epapr_hcalls.h:299:7: note: in expansion of macro =
> =E2=80=98be32_to_cpu=E2=80=99
> 299 | r7 =3D be32_to_cpu(p[2]);
> | ^~~~~~~~~~~
> drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
> =80=99
> 166 | static void ehv_bc_udbg_putc(char c)
> | ^~~~~~~~~~~~~~~~
> In file included from include/linux/byteorder/big_endian.h:5,
> from arch/powerpc/include/uapi/asm/byteorder.h:14,
> from include/asm-generic/bitops/le.h:6,
> from arch/powerpc/include/asm/bitops.h:250,
> from include/linux/bitops.h:29,
> from include/linux/kernel.h:12,
> from include/asm-generic/bug.h:19,
> from arch/powerpc/include/asm/bug.h:109,
> from include/linux/bug.h:5,
> from include/linux/mmdebug.h:5,
> from include/linux/gfp.h:5,
> from include/linux/slab.h:15,
> from drivers/tty/ehv_bytechan.c:24:
> arch/powerpc/include/asm/epapr_hcalls.h:300:20: warning: array subscript 3 =
> is outside array bounds of =E2=80=98const char[1]=E2=80=99 [-Warray-bounds]
> 300 | r8 =3D be32_to_cpu(p[3]);
> include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of mac=
> ro =E2=80=98__be32_to_cpu=E2=80=99
> 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
> | ^
> arch/powerpc/include/asm/epapr_hcalls.h:300:7: note: in expansion of macro =
> =E2=80=98be32_to_cpu=E2=80=99
> 300 | r8 =3D be32_to_cpu(p[3]);
> | ^~~~~~~~~~~
> drivers/tty/ehv_bytechan.c:166:13: note: while referencing =E2=80=98data=E2=
> =80=99
> 166 | static void ehv_bc_udbg_putc(char c)
> | ^~~~~~~~~~~~~~~~
>
> Fixes: dcd83aaff1c8 ("tty/powerpc: introduce the ePAPR embedded hypervisor =
> byte channel driver")
> Cc: Michael Ellerman <mpe at ellerman.id.au>
> Cc: PowerPC Mailing List <linuxppc-dev at lists.ozlabs.org>
> Signed-off-by: Stephen Rothwell <sfr at canb.auug.org.au>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/3670664b5da555a2a481449b3baafff113b0ac35
cheers
More information about the Linuxppc-dev
mailing list