From: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
To: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: "GONG, Ruiqi" <gongruiqi@huaweicloud.com>,
Jonathan Cameron <jic23@kernel.org>,
Lars-Peter Clausen <lars@metafoo.de>,
Waqar Hameed <waqar.hameed@axis.com>,
Kees Cook <keescook@chromium.org>, <linux-iio@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <linux-hardening@vger.kernel.org>,
Wang Weiyang <wangweiyang2@huawei.com>,
Xiu Jianfeng <xiujianfeng@huawei.com>, <gongruiqi1@huawei.com>
Subject: Re: [PATCH RFC] iio: irsd200: fix -Warray-bounds bug in irsd200_trigger_handler
Date: Wed, 9 Aug 2023 09:37:29 +0100 [thread overview]
Message-ID: <20230809093729.00000a1d@Huawei.com> (raw)
In-Reply-To: <ZNIijIoh/famqTDl@work>
On Tue, 8 Aug 2023 05:10:04 -0600
"Gustavo A. R. Silva" <gustavoars@kernel.org> wrote:
> On Tue, Aug 08, 2023 at 04:37:19PM +0800, GONG, Ruiqi wrote:
> > From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
> >
> > When compiling with gcc 13 with -Warray-bounds enabled:
> >
> > In file included from drivers/iio/proximity/irsd200.c:15:
> > In function ‘iio_push_to_buffers_with_timestamp’,
> > inlined from ‘irsd200_trigger_handler’ at drivers/iio/proximity/irsd200.c:770:2:
> > ./include/linux/iio/buffer.h:42:46: error: array subscript ‘int64_t {aka long long int}[0]’
> > is partly outside array bounds of ‘s16[1]’ {aka ‘short int[1]’} [-Werror=array-bounds=]
> > 42 | ((int64_t *)data)[ts_offset] = timestamp;
> > | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~
> > drivers/iio/proximity/irsd200.c: In function ‘irsd200_trigger_handler’:
> > drivers/iio/proximity/irsd200.c:763:13: note: object ‘buf’ of size 2
> > 763 | s16 buf = 0;
> > | ^~~
> >
> > The problem seems to be that irsd200_trigger_handler() is taking a s16
> > variable as an int64_t buffer. Fix it by extending the buffer to 64 bits.
>
> Thanks for working on this!
>
> >
> > Link: https://github.com/KSPP/linux/issues/331
> > Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com>
>
> Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Good find on the bug, but the fix is wrong even if it squashes the error.
>
> --
> Gustavo
>
> > ---
> >
> > RFC: It's a preliminary patch since I'm not familiar with this hardware.
> > Further comments/reviews are needed about whether this fix is correct,
> > or we should use iio_push_to_buffers() instead of the *_with_timestamp()
> > version.
> >
> > drivers/iio/proximity/irsd200.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/iio/proximity/irsd200.c b/drivers/iio/proximity/irsd200.c
> > index 5bd791b46d98..34c479881bdf 100644
> > --- a/drivers/iio/proximity/irsd200.c
> > +++ b/drivers/iio/proximity/irsd200.c
> > @@ -759,10 +759,10 @@ static irqreturn_t irsd200_trigger_handler(int irq, void *pollf)
> > {
> > struct iio_dev *indio_dev = ((struct iio_poll_func *)pollf)->indio_dev;
> > struct irsd200_data *data = iio_priv(indio_dev);
> > - s16 buf = 0;
> > + int64_t buf = 0;
s64 as internal kernel type.
More importantly needs to be at least s64 buf[2]; as the offset
https://elixir.bootlin.com/linux/latest/source/include/linux/iio/buffer.h#L41
will be 1 due to this filling the timestamp in at first 8 byte aligned location
after the data that is already in the buffer.
With hindsight was a bad decision a long time ago not to force people to also
pass the size into this function so we could detect this at runtime at least.
Hard to repair now give very large number of drivers using this and the fact
that it's not always easy to work out that size. Unfortunately occasionally
one of these slips through review :(
I suppose we could, in some cases check if the buffer was at least 16 bytes which
would get us some of the way.
Jonathan
> > int ret;
> >
> > - ret = irsd200_read_data(data, &buf);
> > + ret = irsd200_read_data(data, (s16 *)&buf);
> > if (ret)
> > goto end;
> >
> > --
> > 2.41.0
> >
next prev parent reply other threads:[~2023-08-09 8:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230808083719.280777-1-gongruiqi@huaweicloud.com>
2023-08-08 11:10 ` [PATCH RFC] iio: irsd200: fix -Warray-bounds bug in irsd200_trigger_handler Gustavo A. R. Silva
2023-08-09 8:37 ` Jonathan Cameron [this message]
2023-08-09 17:13 ` Jonathan Cameron
2023-08-21 12:52 ` Waqar Hameed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230809093729.00000a1d@Huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=gongruiqi1@huawei.com \
--cc=gongruiqi@huaweicloud.com \
--cc=gustavoars@kernel.org \
--cc=jic23@kernel.org \
--cc=keescook@chromium.org \
--cc=lars@metafoo.de \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=wangweiyang2@huawei.com \
--cc=waqar.hameed@axis.com \
--cc=xiujianfeng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).