Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp630781pxf; Wed, 17 Mar 2021 12:00:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwhiX1iS0WU6dB9qn6te/hmBM96FqOHCoF1VzNKIt0tYv1LlBVWfzQRvIARfJZXA6plhrVj X-Received: by 2002:a17:906:39a:: with SMTP id b26mr37720966eja.158.1616007607006; Wed, 17 Mar 2021 12:00:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616007606; cv=none; d=google.com; s=arc-20160816; b=jAqfmFqTCeKmfaEfWvOZcw4BTDmMMV2Af/jbLSt1P+1GCEKQo5dZAtc5A98kGs8HiW gYe1fmABtgC0g8W5StppIFJjMHTG5LKkiOdEw1g0aTLZZ34x/LB9KGVPPPvnVmNIN48o WlaaYwPUh+SUtH3hcxbdZP5lozPhPlIqCOAyng7qixn4NajJ97wtBOK/v2XdG6YqJvie lV+CuKHLHrKBmaamAcA+WTJLzvarXV1IfezGSAwGwnu64LV18f80jX+vT+O/Tg/80qOy MnnRCTSO/EPkPFZOwjmrpmcpagEGpLTxsYrHZvep3BsvEkABCeShAiI7plTHcQTU0BG+ dP4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=4tkhXz7ciBpwwPumsE8QZTmyp8AevItredkFY7TSORQ=; b=C6hGBVvlM2rFYVsNKngsVLbeIfZiVpyugY2vIrTCRk3lg6zQlrCBrK8GT6G0ajsNXl 8iajEG2aMcLvnEXJFAS6EzP10b3uObe7FyAM9xxesA4xBltw7f+550LCQjVfphhqD+u7 kKXXP24MpFhBQ+F7B4fcrwpezCvhYqey2CQ/xr8O6hPqmx/3a2VeBpsvfrHdK+h1zc46 cZwmcre+KWZZEWkp5tF7swsfN+PEUvX+UvBphQBmU5KfOA6SYrkJJIJPQ5cMVogTJ4Gt iqVVcAYg4wEJJcMU2wpP36QjR8dV28E9avM9oO6w0oTECGjDrj4Vwf8lKUm8FJSMkiu1 3VOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=E5uNQ5HR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m20si16639889ejc.530.2021.03.17.11.59.43; Wed, 17 Mar 2021 12:00:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=E5uNQ5HR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232029AbhCQS6n (ORCPT + 99 others); Wed, 17 Mar 2021 14:58:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229796AbhCQS6N (ORCPT ); Wed, 17 Mar 2021 14:58:13 -0400 Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9B56C06174A for ; Wed, 17 Mar 2021 11:58:12 -0700 (PDT) Received: by mail-lj1-x232.google.com with SMTP id y1so4497367ljm.10 for ; Wed, 17 Mar 2021 11:58:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4tkhXz7ciBpwwPumsE8QZTmyp8AevItredkFY7TSORQ=; b=E5uNQ5HR2vm/LcV09nz3Jy9xCy4NevVtgcwEskfoCxV0rh3LoaOeF1rVJdHkhThgla OTgXFFEnsj1kovBCJU2GLDgdQPDGlAFX5lP/lTIl3+y5CThXEWZO8+DoGHBwpH00/9eR gee/VOKAIre91MnnvaNmSjynUKSJUVpFdRqzj1jVDxoQPbJH2CLaKvBERLTn+qjksv82 9jzbKUHOdrHW7hsA9xmNS2XQhTyGspCBiyA4QnJTkmiry8dZdtrNVWlKY0tBGh+BuG2A ZHWj6NitZnMqBsRbgiCxqhMHWCEAfk6VgDLMPkvqgHE3r+ZcUw7i6YxPt8qPvjO8sRjb /CJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4tkhXz7ciBpwwPumsE8QZTmyp8AevItredkFY7TSORQ=; b=oQglWqtnxaExfnbqqIuC44AW+iibSzURcdzhO4Gsd/d5IffrKNmcVvOuDF+BCRmWqD vdZHupxM0jTU+bNpzm3gNHOFt88NCtkTWnzwMJQWm6ZS5HHSzKG94a8iTRzYGxJ7U17V RgbAYSrlqXoHjLhp/o3jATB7FwbIllRxz9AZP4QAHvnOcmkylTlAzEa8OY+GoGT/nXG1 g8FAk8dBPmwJFguhCeqTtCLk4qLh/p12TB/xViVi9Hx1kZ+ywdcp8w7fKvCuDPcVkkpM 9vyAXiAYMow1CnuKTYwZjoixffYzWi0gKs9SOIFrinayhQZ2T1FP9Cg6a46LFaRxLXOx HCuw== X-Gm-Message-State: AOAM5336LCjSCFfWkBVElrBIgxv/iXUlHf7zTCDtM5JL/lfFBTt/3ipC 8ee9BFP5Q1XOP77qIhG1DSOOiRNnS8Qi/ARLFft6Jw== X-Received: by 2002:a05:651c:1134:: with SMTP id e20mr3228605ljo.385.1616007490899; Wed, 17 Mar 2021 11:58:10 -0700 (PDT) MIME-Version: 1.0 References: <20210317064148.GA55123@embeddedor> <3bd8d009-2ad2-c24d-5c34-5970c52502de@embeddedor.com> In-Reply-To: <3bd8d009-2ad2-c24d-5c34-5970c52502de@embeddedor.com> From: Jann Horn Date: Wed, 17 Mar 2021 19:57:44 +0100 Message-ID: Subject: Re: [Intel-wired-lan] [PATCH][next] ixgbe: Fix out-of-bounds warning in ixgbe_host_interface_command() To: "Gustavo A. R. Silva" Cc: "Gustavo A. R. Silva" , Network Development , kernel list , intel-wired-lan@lists.osuosl.org, linux-hardening@vger.kernel.org, Jakub Kicinski , "David S. Miller" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 17, 2021 at 7:27 PM Gustavo A. R. Silva wrote: > On 3/17/21 12:11, Jann Horn wrote: > > On Wed, Mar 17, 2021 at 8:43 AM Gustavo A. R. Silva > > wrote: > >> Fix the following out-of-bounds warning by replacing the one-element > >> array in an anonymous union with a pointer: > >> > >> CC [M] drivers/net/ethernet/intel/ixgbe/ixgbe_common.o > >> drivers/net/ethernet/intel/ixgbe/ixgbe_common.c: In function =E2=80=98= ixgbe_host_interface_command=E2=80=99: > >> drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:3729:13: warning: arra= y subscript 1 is above array bounds of =E2=80=98u32[1]=E2=80=99 {aka =E2=80= =98unsigned int[1]=E2=80=99} [-Warray-bounds] > >> 3729 | bp->u32arr[bi] =3D IXGBE_READ_REG_ARRAY(hw, IXGBE_FLEX_MNG, = bi); > >> | ~~~~~~~~~~^~~~ > >> drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:3682:7: note: while re= ferencing =E2=80=98u32arr=E2=80=99 > >> 3682 | u32 u32arr[1]; > >> | ^~~~~~ > >> > >> This helps with the ongoing efforts to globally enable -Warray-bounds. > >> > >> Notice that, the usual approach to fix these sorts of issues is to > >> replace the one-element array with a flexible-array member. However, > >> flexible arrays should not be used in unions. That, together with the > >> fact that the array notation is not being affected in any ways, is why > >> the pointer approach was chosen in this case. > >> > >> Link: https://github.com/KSPP/linux/issues/109 > >> Signed-off-by: Gustavo A. R. Silva > >> --- > >> drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers= /net/ethernet/intel/ixgbe/ixgbe_common.c > >> index 62ddb452f862..bff3dc1af702 100644 > >> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c > >> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c > >> @@ -3679,7 +3679,7 @@ s32 ixgbe_host_interface_command(struct ixgbe_hw= *hw, void *buffer, > >> u32 hdr_size =3D sizeof(struct ixgbe_hic_hdr); > >> union { > >> struct ixgbe_hic_hdr hdr; > >> - u32 u32arr[1]; > >> + u32 *u32arr; > >> } *bp =3D buffer; > >> u16 buf_len, dword_len; > >> s32 status; > > > > This looks bogus. An array is inline, a pointer points elsewhere - > > they're not interchangeable. > > Yep; but in this case these are the only places in the code where _u32arr= _ is > being used: > > 3707 /* first pull in the header so we know the buffer length */ > 3708 for (bi =3D 0; bi < dword_len; bi++) { > 3709 bp->u32arr[bi] =3D IXGBE_READ_REG_ARRAY(hw, IXGBE_FL= EX_MNG, bi); > 3710 le32_to_cpus(&bp->u32arr[bi]); > 3711 } So now line 3709 means: Read a pointer from bp->u32arr (the value being read from there is not actually a valid pointer), and write to that pointer at offset `bi`. I don't see how that line could execute without crashing.