Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp407331ybz; Wed, 22 Apr 2020 00:11:30 -0700 (PDT) X-Google-Smtp-Source: APiQypKNOEfgiG4HtKBRnfuyuOfPKG3M14a0qw8uRrbiscLgiIcmaewBlTBy9vpyjHaomYHvFhNL X-Received: by 2002:a50:abe2:: with SMTP id u89mr22834050edc.259.1587539489752; Wed, 22 Apr 2020 00:11:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587539489; cv=none; d=google.com; s=arc-20160816; b=LDs33STHQ2WvQOfB3ed6Jv7KNJZ551qkA+gosGprw/BQVtwU8rbhhMkVnoiKDdTB/u nm0VWqML56UJVhvbnoN6hQwjjEtsblVUm1koXTmsiXTMdUlL7jXRC6gj3se/c+QnduTO xVXteyAJuDxXVwXXJ/K2X3s8xXSjhDobJQNO7v7rIiJQ1npS8pz+EAZoVfGHyBL3exnU VV/xobHibYbxrNxaisj8mZ/E0f10Jb6ZhETb3m/t8HbuXHkMvJKaunjsLmNwF/CNct1s Zl6BHDFgrNs26+a+55OU6FbKq0wRbQ9FPXPglZjD9xDZo42wHTNhT0Da0i6GAMZprVPO 8Dig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=6CVFGqxG/v/g0amb7iSB8Lo9w38X6pIJaoEOXJitxb8=; b=Cor83UpbF6+wml294yUULzn35KhdeaeIpsr+7lD5D2ilg97pQD2r+W3CUtBIUeWh48 jAmVeEfVT/JnrPDbDAp4YP6Mugm9QS7V3kZGEHnsWmhDaqc70KHmnMc2nd96RIgCyCd/ dgvpuiySyBmkLT1Uak4JCB31Bzwv8gqSU0aLPwr2xnbGHrxL4ednBvWFS02PxjxIF490 j2cOIjgzcL6OMIYKkqymQ6JSXLFJz5+TE29zkDz3Y7TmkZHyJC+jR/gh7AcwTggpb/ET oUEPydXHjoSF8hqGYTRsP71Y9prv0wpcinV2tcVhphKggpMcCzttxw/t/KL5yPR5YUdF a+bQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=gVVm4k47; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x21si3044061ejs.38.2020.04.22.00.11.06; Wed, 22 Apr 2020 00:11:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=gVVm4k47; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726077AbgDVHJX (ORCPT + 99 others); Wed, 22 Apr 2020 03:09:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1725786AbgDVHJV (ORCPT ); Wed, 22 Apr 2020 03:09:21 -0400 Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6C20C03C1A6; Wed, 22 Apr 2020 00:09:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=6CVFGqxG/v/g0amb7iSB8Lo9w38X6pIJaoEOXJitxb8=; b=gVVm4k47Cvu1PFJgzjX/SkUM/m mvRKEQwrpXa1IE/gVbfgEUWuuszxNoovUJu15JMZgWzrCRfyN73Fck5PoKuWjMhziZZJeZtmIhaxY D4ZhMQ9oFzhcYu4spFvEIFFTkOs8zS+lEk0iXcaFNb8clfGgk5iiWttuKWRtrkvh1jjpWOLOnOCkM skr5o8kmUWltstkREV5B7RnSndEOMVodXnR3iEuodtYEgGoi/pDdLYb3jAP8o/MfPyhVf1naK9xc6 xttmP0m9qaXteU7GTEV2zMI4AMmS5+utVZfYJ/Djtjz51ZCC0wEZL2ca7Xd088t1j/QscM3h18l9J HDXefL4w==; Received: from hch by bombadil.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1jR9VZ-0001HQ-MH; Wed, 22 Apr 2020 07:09:21 +0000 Date: Wed, 22 Apr 2020 00:09:21 -0700 From: Christoph Hellwig To: Denis Efremov Cc: linux-block@vger.kernel.org, Willy Tarreau , linux-kernel@vger.kernel.org Subject: Re: [PATCH 3/3] floppy: suppress UBSAN warning in setup_rw_floppy() Message-ID: <20200422070921.GA19116@infradead.org> References: <20200421125722.58959-1-efremov@linux.com> <20200421125722.58959-4-efremov@linux.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200421125722.58959-4-efremov@linux.com> X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 21, 2020 at 03:57:22PM +0300, Denis Efremov wrote: > UBSAN: array-index-out-of-bounds in drivers/block/floppy.c:1521:45 > index 16 is out of range for type 'unsigned char [16]' > Call Trace: > ... > setup_rw_floppy+0x5c3/0x7f0 > floppy_ready+0x2be/0x13b0 > process_one_work+0x2c1/0x5d0 > worker_thread+0x56/0x5e0 > kthread+0x122/0x170 > ret_from_fork+0x35/0x40 > > >From include/uapi/linux/fd.h: > struct floppy_raw_cmd { > ... > unsigned char cmd_count; > unsigned char cmd[16]; > unsigned char reply_count; > unsigned char reply[16]; > ... > } > > This out-of-bounds access is intentional. The command in struct > floppy_raw_cmd may take up the space initially intended for the reply > and the reply count. It is needed for long 82078 commands such as > RESTORE, which takes 17 command bytes. Initial cmd size is not enough > and since struct setup_rw_floppy is a part of uapi we check that > cmd_count is in [0:16+1+16] in raw_cmd_copyin(). > > The patch replaces array subscript with pointer arithetic to suppress > UBSAN warning. Urghh. I think the better way would be to use a union that creates a larger cmd field, or something like: struct floppy_raw_cmd { ... u8 buf[34]; #define BUF_CMD_COUNT 0 #define BUF_CMD 1 #define BUF_REPLY_COUNT 17 #define BUF_REPLY 18 and use addressing based on that.