From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Borislav Petkov" <bp@alien8.de>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
"Jó Ágila Bitsch" <jgilab@gmail.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array
Date: Thu, 6 Jul 2023 08:47:18 +0100 [thread overview]
Message-ID: <2023070609-taco-deviation-3b4b@gregkh> (raw)
In-Reply-To: <202307051408.E16A95E@keescook>
On Wed, Jul 05, 2023 at 02:11:03PM -0700, Kees Cook wrote:
> On Thu, Jun 29, 2023 at 09:17:23PM +0200, Greg Kroah-Hartman wrote:
> > On Thu, Jun 29, 2023 at 12:09:00PM -0700, Kees Cook wrote:
> > > Since commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3"),
> > > UBSAN_BOUNDS no longer pretends 1-element arrays are unbounded. Walking
> > > bmSublinkSpeedAttr will trigger a warning, so make it a proper flexible
> > > array. Add a union to keep the struct size identical for userspace in
> > > case anything was depending on the old size.
> > >
> > > False positive warning was:
> > >
> > > UBSAN: array-index-out-of-bounds in drivers/usb/host/xhci-hub.c:231:31 index 1 is out of range for type '__le32 [1]'
> > >
> > > for this line of code:
> > >
> > > ssp_cap->bmSublinkSpeedAttr[offset++] = cpu_to_le32(attr);
> > >
> > > Reported-by: Borislav Petkov <bp@alien8.de>
> > > Closes: https://lore.kernel.org/lkml/2023062945-fencing-pebble-0411@gregkh/
> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > include/uapi/linux/usb/ch9.h | 6 +++++-
> > > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > Thanks for the quick response, I'll queue it up after 6.5-rc1 is out.
>
> I'm going to send this before -rc1, since we've had another report[1] that
> was fixed by this. Given the verification there and Boris's testing, I
> think this is good to land. I'll toss it in -next now and send it to
> Linus on Friday after making sure there are no more surprises.
>
> -Kees
>
> [1] https://lore.kernel.org/lkml/DA3FEB08-DF39-406B-89CC-9076CFCF597A@kernel.org/
No problem:
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
next prev parent reply other threads:[~2023-07-06 7:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 19:09 [PATCH] usb: ch9: Replace bmSublinkSpeedAttr 1-element array with flexible array Kees Cook
2023-06-29 19:17 ` Greg Kroah-Hartman
2023-06-30 13:34 ` Borislav Petkov
2023-07-05 21:11 ` Kees Cook
2023-07-06 7:47 ` Greg Kroah-Hartman [this message]
2023-06-29 19:22 ` Gustavo A. R. Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023070609-taco-deviation-3b4b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=bp@alien8.de \
--cc=gustavoars@kernel.org \
--cc=jgilab@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.