Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3767295pxv; Mon, 19 Jul 2021 08:16:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwAWBOuSBblSIdtAvZP6RRXIklhioEGUyHtvhkL4ecQDjgLTNHWThN/4C97tz5zzZ44EK/G X-Received: by 2002:a50:8d8b:: with SMTP id r11mr34209939edh.217.1626707818666; Mon, 19 Jul 2021 08:16:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626707818; cv=none; d=google.com; s=arc-20160816; b=HqDDo2Ucx+Ei79Eqqgbv8s4ib0stnEs46TpmxMvRwS9ZwTmtDcVYcCPEg+zle74abt 9ISHHgTwQhjQPBfW/z9ChMdrki0qjOhzI/m3CV4G5E/Vr1B5QPGVI2dw/U4Gwlka+ykf eVBIzVpv++Y9SW3Yr9vFi3a4ExG5ANadHttb+Xou+Jgqq2Im7+yknDpT8kSw0YNOkNc/ 74PjE7Kkrat/ZLleM2E0dYg7aMJS3a5U8JbVEnIeMwBgV9Qllwa6i+s0uqH8TOIfJaOk t5QhCFaVjkVQV8kIDpS+w666yFqDTw39TS2XoqGGVnneMffSLTKXcVl0zMyZVsf1hNVY 6M7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=C8/Mtvv058zx+JFP/IEsZX65vio8PztmpfBR/dyWNc8=; b=cJyUq9mJeI2GOdNCziHqJn7xniG4mUM8333zEYoshuMDzHjbee+uj7xucudPC9CPYQ 4k91jJqe+97b/TA1/hPYXq40tnkYNVrwBaJTQpxYRWpuc4RRA6xmEwvwpyOJCRm7zpHc aexK1xHG0AkCArgI++lSUxJibDUXwSwLHA1WjapPOQdotuZZjdXC1CqimTlzaw0RUtoq QcmFCBaYeNIdW6+Xt7iax4T/wB1+yS5YnX2FwtPn7dePoYo2hhoHAZxxYI2KzyjSZgLr tLIqN+o7A7N0S7yTfbbFAqezS9H5U76019JU0/q3QKRti+wPbQFuX1OBOsZXTw+tnuM0 cKPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZNcjYRQx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u9si19570884edb.462.2021.07.19.08.16.36; Mon, 19 Jul 2021 08:16:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZNcjYRQx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244553AbhGSOeL (ORCPT + 99 others); Mon, 19 Jul 2021 10:34:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:40116 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241801AbhGSO1w (ORCPT ); Mon, 19 Jul 2021 10:27:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 13D1A6124B; Mon, 19 Jul 2021 15:07:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626707270; bh=LTVZORKlTHGN1V1DfualTZMLxpPz0lWhbQxgxp6uq/w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZNcjYRQxNTvnI0tReNBzH1rDFazEb2gR9VEbtJmRudhKKxwwg+Krov4EXM+fPhSmR IQ4yafsq8+1AMRR5itDcmagidll3eFa2GjW7UfxfKZam+T+ydQ9TJ0/rFnKSc/gdQW heddmZS0dYGHsrmpZdlX9QwXKZrxO1UmmjxXn5UU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Sasha Levin Subject: [PATCH 4.9 066/245] media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() Date: Mon, 19 Jul 2021 16:50:08 +0200 Message-Id: <20210719144942.539957158@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144940.288257948@linuxfoundation.org> References: <20210719144940.288257948@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Gustavo A. R. Silva [ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ] Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of its msg_data array from 4 to 5 elements. Notice that at some point the 5th element of msg_data is being accessed in function smscore_load_firmware_family2(): 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ Also, there is no need for the object _trigger_msg_ of type struct sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data in struct sms_msg_data is a one-element array, which causes multiple out-of-bounds warnings when accessing beyond its first element in function smscore_load_firmware_family2(): 992 struct sms_msg_data *trigger_msg = 993 (struct sms_msg_data *) msg; 994 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); 996 SMS_INIT_MSG(&msg->x_msg_header, 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, 998 sizeof(struct sms_msg_hdr) + 999 sizeof(u32) * 5); 1000 1001 trigger_msg->msg_data[0] = firmware->start_address; 1002 /* Entry point */ 1003 trigger_msg->msg_data[1] = 6; /* Priority */ 1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */ 1005 trigger_msg->msg_data[3] = 0; /* Parameter */ 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ even when enough dynamic memory is allocated for _msg_: 929 /* PAGE_SIZE buffer shall be enough and dma aligned */ 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags); but as _msg_ is casted to (struct sms_msg_data *): 992 struct sms_msg_data *trigger_msg = 993 (struct sms_msg_data *) msg; the out-of-bounds warnings are actually valid and should be addressed. Fix this by declaring object _msg_ of type struct sms_msg_data5 *, which contains a 5-elements array, instead of just 4. And use _msg_ directly, instead of creating object trigger_msg. This helps with the ongoing efforts to enable -Warray-bounds by fixing the following warnings: CC [M] drivers/media/common/siano/smscoreapi.o drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’: drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1003 | trigger_msg->msg_data[1] = 6; /* Priority */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares") Co-developed-by: Kees Cook Signed-off-by: Kees Cook Signed-off-by: Gustavo A. R. Silva Signed-off-by: Sasha Levin --- drivers/media/common/siano/smscoreapi.c | 22 +++++++++------------- drivers/media/common/siano/smscoreapi.h | 4 ++-- 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index f3a42834d7d6..b10bd45da9c5 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -914,7 +914,7 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev, void *buffer, size_t size) { struct sms_firmware *firmware = (struct sms_firmware *) buffer; - struct sms_msg_data4 *msg; + struct sms_msg_data5 *msg; u32 mem_address, calc_checksum = 0; u32 i, *ptr; u8 *payload = firmware->payload; @@ -995,24 +995,20 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev, goto exit_fw_download; if (coredev->mode == DEVICE_MODE_NONE) { - struct sms_msg_data *trigger_msg = - (struct sms_msg_data *) msg; - pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); SMS_INIT_MSG(&msg->x_msg_header, MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, - sizeof(struct sms_msg_hdr) + - sizeof(u32) * 5); + sizeof(*msg)); - trigger_msg->msg_data[0] = firmware->start_address; + msg->msg_data[0] = firmware->start_address; /* Entry point */ - trigger_msg->msg_data[1] = 6; /* Priority */ - trigger_msg->msg_data[2] = 0x200; /* Stack size */ - trigger_msg->msg_data[3] = 0; /* Parameter */ - trigger_msg->msg_data[4] = 4; /* Task ID */ + msg->msg_data[1] = 6; /* Priority */ + msg->msg_data[2] = 0x200; /* Stack size */ + msg->msg_data[3] = 0; /* Parameter */ + msg->msg_data[4] = 4; /* Task ID */ - rc = smscore_sendrequest_and_wait(coredev, trigger_msg, - trigger_msg->x_msg_header.msg_length, + rc = smscore_sendrequest_and_wait(coredev, msg, + msg->x_msg_header.msg_length, &coredev->trigger_done); } else { SMS_INIT_MSG(&msg->x_msg_header, MSG_SW_RELOAD_EXEC_REQ, diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h index 4cc39e4a8318..55d02c27f124 100644 --- a/drivers/media/common/siano/smscoreapi.h +++ b/drivers/media/common/siano/smscoreapi.h @@ -636,9 +636,9 @@ struct sms_msg_data2 { u32 msg_data[2]; }; -struct sms_msg_data4 { +struct sms_msg_data5 { struct sms_msg_hdr x_msg_header; - u32 msg_data[4]; + u32 msg_data[5]; }; struct sms_data_download { -- 2.30.2