Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3653033pxv;
        Mon, 26 Jul 2021 08:47:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxuuNETi7lfNPXJqa0zl0q2SDrbF89Cme0S8+xYd/xpd6de4E5Na8N/ZOdsEbiyfByO+Td7
X-Received: by 2002:a05:6602:21d6:: with SMTP id c22mr3955442ioc.69.1627314438959;
        Mon, 26 Jul 2021 08:47:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1627314438; cv=none;
        d=google.com; s=arc-20160816;
        b=mhATxJpujf0MVo5UZQfDjqnzc4Ny/gYlaVTGNqX5TVM0+oAZeFPfoNb9s1tgcg26aR
         GU1/NnO/rW2CpL9sOVz+DYnxWL0/jS5cbeNw4DRmV/w0uQ0B/Y0XFNw45l2FzqTjGUYW
         WXjjuF8WtmmKokdTmU4bSUBVPLZuqGbmCdV/wQAe8Has2MYRkyk6KTKj/v4H/bE2sFxe
         efXYI0+U8a1xRTToLdp7gLQC5DRqxaHavR3bMOQ7ioUu4as/0f7uiVvfC+WlwH1CNzQ9
         iGyuvMrTrfz2JjRXjultcW7HLJ3kMGvBSl64q0ENdTeNeXbYVY8omsIygfdw3K7Eurv8
         deow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=V/wN5WQvzqhK2AzXP9PxR/hFKaMTREEUsDVs6hfqmS0=;
        b=f9ORZr5StPeNcKmAeZZ4Gw4LB76j4kyanGNE0E2ZX0qk7Mqj7p5JIdthzuX6vA8+G6
         KfMOb8Tkxq8a4h8eFn5l/K+tpbZEpkEYolfh7KkJ1lcahBfrNIQvlbTwAzm5POs7r8Op
         gIDJwBM/Eshl61iJMNXPAZB7WLHD8EKn1kz8N+zbvNXSHcEBNf6hcGsvLmBZcZDSjxV1
         ohfyrR2JmGhzXMqiUo5xFlyfaMVy/VggF6S54mVoPF93Uuilr1E0NMxkYHuL4rBDXy8k
         IOK7e8oKP5gyoJF5RBiF8k1mkaxH3Kxxro626CbASYAKKNsqnD9k91KYng+1H35fice+
         7WZw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ms4UVXBX;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b20si257542jat.16.2021.07.26.08.46.59;
        Mon, 26 Jul 2021 08:47:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ms4UVXBX;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235415AbhGZPFr (ORCPT <rfc822;linux.sihyeon@gmail.com>
        + 99 others); Mon, 26 Jul 2021 11:05:47 -0400
Received: from mail.kernel.org ([198.145.29.99]:45150 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S235786AbhGZPEs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Jul 2021 11:04:48 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 1EFBF60F5A;
        Mon, 26 Jul 2021 15:45:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1627314316;
        bh=JfxhRDXSCZ5rsxg7bPn6nFqZE5y+4xJFrqfVZLUcIn8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ms4UVXBXSazfAbd6f0cRIjVg7c6/qSf6s9ClFe1rXcywoq4QsS6UQ3KZFk/CEGIpX
         scPwiZlN7ywI3Ch+2R5KyOzM/fPhoWqerWgV9h3dDudHKgvYwZ3Li+Mt8nWlMHM9LR
         M5vRRqTvzwvpc/+5OitQ0Mg3huJy067NXLJ+tNgg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, kernel test robot <lkp@intel.com>,
        Kees Cook <keescook@chromium.org>,
        "Gustavo A. R. Silva" <gustavoars@kernel.org>
Subject: [PATCH 4.9 56/60] media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
Date:   Mon, 26 Jul 2021 17:39:10 +0200
Message-Id: <20210726153826.631496590@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210726153824.868160836@linuxfoundation.org>
References: <20210726153824.868160836@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Gustavo A. R. Silva <gustavoars@kernel.org>

commit 8d4abca95ecc82fc8c41912fa0085281f19cc29f upstream.

Fix an 11-year old bug in ngene_command_config_free_buf() while
addressing the following warnings caught with -Warray-bounds:

arch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]

The problem is that the original code is trying to copy 6 bytes of
data into a one-byte size member _config_ of the wrong structue
FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a
legitimate compiler warning because memcpy() overruns the length
of &com.cmd.ConfigureBuffers.config. It seems that the right
structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains
6 more members apart from the header _hdr_. Also, the name of
the function ngene_command_config_free_buf() suggests that the actual
intention is to ConfigureFreeBuffers, instead of ConfigureBuffers
(which takes place in the function ngene_command_config_buf(), above).

Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS
into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as
the destination address, instead of &com.cmd.ConfigureBuffers.config,
when calling memcpy().

This also helps with the ongoing efforts to globally enable
-Warray-bounds and get us closer to being able to tighten the
FORTIFY_SOURCE routines on memcpy().

Link: https://github.com/KSPP/linux/issues/109
Fixes: dae52d009fc9 ("V4L/DVB: ngene: Initial check-in")
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/linux-hardening/20210420001631.GA45456@embeddedor/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/pci/ngene/ngene-core.c |    2 +-
 drivers/media/pci/ngene/ngene.h      |   14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

--- a/drivers/media/pci/ngene/ngene-core.c
+++ b/drivers/media/pci/ngene/ngene-core.c
@@ -402,7 +402,7 @@ static int ngene_command_config_free_buf
 
 	com.cmd.hdr.Opcode = CMD_CONFIGURE_FREE_BUFFER;
 	com.cmd.hdr.Length = 6;
-	memcpy(&com.cmd.ConfigureBuffers.config, config, 6);
+	memcpy(&com.cmd.ConfigureFreeBuffers.config, config, 6);
 	com.in_len = 6;
 	com.out_len = 0;
 
--- a/drivers/media/pci/ngene/ngene.h
+++ b/drivers/media/pci/ngene/ngene.h
@@ -407,12 +407,14 @@ enum _BUFFER_CONFIGS {
 
 struct FW_CONFIGURE_FREE_BUFFERS {
 	struct FW_HEADER hdr;
-	u8   UVI1_BufferLength;
-	u8   UVI2_BufferLength;
-	u8   TVO_BufferLength;
-	u8   AUD1_BufferLength;
-	u8   AUD2_BufferLength;
-	u8   TVA_BufferLength;
+	struct {
+		u8   UVI1_BufferLength;
+		u8   UVI2_BufferLength;
+		u8   TVO_BufferLength;
+		u8   AUD1_BufferLength;
+		u8   AUD2_BufferLength;
+		u8   TVA_BufferLength;
+	} __packed config;
 } __attribute__ ((__packed__));
 
 struct FW_CONFIGURE_UART {