From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1jFHLC-0005kE-Ls
	for mharc-grub-devel@gnu.org; Fri, 20 Mar 2020 09:05:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37622)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <scdbackup@gmx.net>) id 1jFHL9-0005k4-IY
 for grub-devel@gnu.org; Fri, 20 Mar 2020 09:05:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <scdbackup@gmx.net>) id 1jFHL8-0004L4-C6
 for grub-devel@gnu.org; Fri, 20 Mar 2020 09:05:31 -0400
Received: from mout.gmx.net ([212.227.15.18]:37185)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <scdbackup@gmx.net>) id 1jFHL7-0004HT-VN
 for grub-devel@gnu.org; Fri, 20 Mar 2020 09:05:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1584709519;
 bh=2g1yLiILtyz9YOzvn5o6PBkWMiwzBAxgEPq+md+rBm4=;
 h=X-UI-Sender-Class:Date:From:To:Subject:Cc:References:In-Reply-To;
 b=NqfXP8kx8Kcj2sdSnOe+sFYu+qIrboJwF7IU2bwiH+peOuEBz297tpaOvWtKnex3p
 663cCkLMIst6Slw+DfR0DyqX8ZKApXZd3k0fSSHpIkKCzeJUKHeZXEgBgaaIkGTFyX
 2qRsU//crBXIaiuj0V7deigxlh9769KubECyn/Oc=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from scdbackup.webframe.org ([84.179.242.149]) by mail.gmx.com
 (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id
 1MvK0R-1jX5Ac2J29-00rK3m; Fri, 20 Mar 2020 14:05:19 +0100
Date: Fri, 20 Mar 2020 14:05:59 +0100
From: "Thomas Schmitt" <scdbackup@gmx.net>
To: grub-devel@gnu.org
Subject: Re: disk/mdraid1x_linux.c:181:15: warning: array subscript ...
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Cc: pmenzel@molgen.mpg.de
References: <fda623d3-634d-dbc2-74e6-387bd7040a00@molgen.mpg.de>
In-Reply-To: <fda623d3-634d-dbc2-74e6-387bd7040a00@molgen.mpg.de>
Message-Id: <19348718378123487642@scdbackup.webframe.org>
X-Provags-ID: V03:K1:3kZ6D/u9nTiZ3xnSgsmpzmD8Dp9oyCysyKILy0RaF4PA//RV2c4
 MwE87bkjeQuO1bzKSEjP+t89XJNtHLquUq3FVd+WE211HXwDtk0akIXyIBjL0LxdY+2gMUB
 QLxKTeq15vb/49lIQqMb3h4z2o+S3udYb/Iyis27Ejr6+zXiZmfUwm92ZR16rGn265wY+xI
 ZYfhn0PZ7yQH0j+1E5pDQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:/tOQHxPxRw8=:sOoYftVTIt4qvuaxk7lqMc
 OZKt8N7mE1eiGeDNpTvmLjr+hPyqWF5h48ML3Ko0Bcd7Eoeps2iZCJ5NqUxPAtNYcOrkuCUpP
 PTtuJ2oOh0tFaiNqZAT3R4edDwHou7xHXbDwV07sZjq2OjASTF6SqIaXAx58sHLsjQhNytWb1
 tusYqVGrFN1gMZFFAhuniCho3Qt5cLUxmTYKTZX0VI69JMyOaQIWD7bgtAK/Z5WT3ZzPkxF6i
 pV16nspKFRcSXubWvKAnfK+zmrwgMfhZh4VJ4HK3ID4wMGu7bzOC9ekgoqersY2mWDIvek+xT
 I6z4W+u+jL+JVUZqhIfcvMYu2quVrHBSkxDNOPZjjJv7HlrMVfE8Qnzhu6D5PNG9YSrBpFnpg
 2P5TgtpRisKHp/qtPaVCdspf49y0Kd26OnBU3IEFL4KJVYJx/FPB9ylHduMZSbwgiA/BBYd/o
 Z0dJT0fVyOxa85JluGPeVJwxeSfOj9n8MgaBUBhiCD8gf7en2hoU2XtxqtEUB3ri398+zDzSR
 SFuwpZC/nZH/jH6XTdUhBbmpLiKvP2NFRlC7mKBNgAEWF1MtjTxiqHEUYyEgGDVFwEF9dkrw/
 09WXqpak/8Ap+43avzFahkmPbkxACHBU1BBeZIhVDyhrLJJUTXiJs1VJhr/jq43bUGSHQ3MnS
 2BcvwjOoIKkFU9b9YC2U51FbvSqrj1h5k0MLp6Sz2N2G5EeLGDdKDHLn49A6+a6En5c22Rkji
 6wu6sfiRoN2giLt/fQxdfoT0iOmKe0bk8eCqxODx3pHvzsjHBtNBKriN3ajBGBtOzTp280WUE
 xVfmqScjfCjrBVk7d+bG5LAhaVbeJys0PCnaaCaaPt0ZtEi6eX1crBRMcpHdgUNusZnq5APr4
 YXrkI/yz5FBmKUfVEZqv5JwTy4m/QcKKig9FqPOJe0nG7YxqiOKpExkzwgczhZEhzLezyEH3+
 U82dTZllA7+iS1fDRnSZh5lx/zl/gXkWuqHuaewW56v/sMLNUZKyMEm/NKkQUy35UN+iDEUq5
 YAptJ4S6DdLf0CBnKuZHA7u5pFJ72iuP+mExDGO6tue4gBOXolbpg05vPKhY7/ayg6QsBlK9J
 UkBHKuJjTqSrHXoNplhHCFU6OCMGcoBjU1Fk8ceXb97ZggEDUdqz60wXXPoBeXR8aeLcJxEmu
 b+zOMKu5XdV7gAeYmpEiHRzvd0jbjAldme5/HLMqhO5TDzUdDd+RWOM05i2Ij7PcWrwSs165T
 +d+NAM7SoD7fYFfnf
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 212.227.15.18
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 13:05:33 -0000

Hi,

Paul Menzel wrote:
>   181 |      (char *) &sb.dev_roles[grub_le_to_cpu32 (sb.dev_number)]
>    98 |   grub_uint16_t dev_roles[]; /* Role in array, or 0xffff for a
>   127 |       struct grub_raid_super_1x sb;
> [...]
> Normally, it should be fixed by using `grub_uint16_t[]` instead of
> `grub_uint16_t[0]`, but I haven=E2=80=99t found out where yet.

I rather propose to consider this untested and not properly styled
change:

=2D-- grub-core/disk/mdraid1x_linux.c	2018-09-05 11:41:09.690721520 +0200
+++ grub-core/disk/mdraid1x_linux.c.ts	2020-03-20 13:57:21.159675792 +0100
@@ -178,8 +178,9 @@ grub_mdraid_detect (grub_disk_t disk,
 	return NULL;

       if (grub_disk_read (disk, sector,
-			  (char *) &sb.dev_roles[grub_le_to_cpu32 (sb.dev_number)]
-			  - (char *) &sb,
+			  ((char *) &sb.dev_roles - (char *) sb)
+			  + grub_le_to_cpu32 (sb.dev_number) * sizeof(grub_uint16_t),
 			  sizeof (role), &role))
 	return NULL;

=2D-----------------------------------------------------------------------
Reasoning:

I see
  grub_uint16_t dev_roles[0];
in
  http://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/disk/mdraid1x_l=
inux.c#n98
It's a gcc extension.
  https://www.gnu.org/software/gnu-c-manual/gnu-c-manual.html#Declaring-Ar=
rays
  "As a GNU extension, the number of elements can be as small as zero.
   Zero-length arrays are useful as the last element of a structure which
   is really a header for a variable-length object"

So isn't the problem rather about the allocation of the struct which
hosts .dev_roles ?
Currently there is in mdraid1x_linux.c:

  struct grub_raid_super_1x
  {
    ...
    grub_uint16_t dev_roles[0];   /* Role in array, or 0xffff for a spare,=
 or 0xfffe for faulty.  */
  };

  ...

  static struct grub_diskfilter_vg *
  grub_mdraid_detect (grub_disk_t disk, ...
    ...
      struct grub_raid_super_1x sb;

The allocation as local variable does not appear to provide this extra
memory storage, which shall host the array members of dev_roles.
I fail to see how sb could get enlarged later. The stack neighbors of sb
do not look like they would provide their storage for an array.

Now why didn't this fail earlier ?
That's because the bad array index use is not for memory access but for
pointer arithmetics:

 http://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/disk/mdraid1x_li=
nux.c#n180

 if (grub_disk_read (disk, sector,
          (char *) &sb.dev_roles[grub_le_to_cpu32 (sb.dev_number)]
           - (char *) &sb,
          sizeof (role), &role))

The code wants a number which shall be used as parameter grub_off_t offset
of grub_disk_read() (in grub-core/kern/disk.c).

I think that the following expression produces the same number without
virtual access to a virtual array member:

         (char *) &sb.dev_roles - (char *) sb
         + grub_le_to_cpu32 (sb.dev_number) * sizeof(grub_uint16_t)


Have a nice day :)

Thomas