lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Apr 2021 15:14:03 -0500 From: "Gustavo A. R. Silva" <gustavoars@...nel.org> To: David Woodhouse <dwmw2@...radead.org>, Lu Baolu <baolu.lu@...ux.intel.com>, Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org> Cc: iommu@...ts.linux-foundation.org, linux-kernel@...r.kernel.org, "Gustavo A. R. Silva" <gustavoars@...nel.org>, linux-hardening@...r.kernel.org Subject: [PATCH v2][next] iommu/vt-d: Fix out-bounds-warning in intel_svm_page_response() Replace a couple of calls to memcpy() with simple assignments in order to fix the following out-of-bounds warning: drivers/iommu/intel/svm.c:1198:4: warning: 'memcpy' offset [25, 32] from the object at 'desc' is out of the bounds of referenced subobject 'qw2' with type 'long long unsigned int' at offset 16 [-Warray-bounds] The problem is that the original code is trying to copy data into a couple of struct members adjacent to each other in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &desc.qw2 and &resp.qw2, respectively. This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org> --- Changes in v2: - Fix another instance of this same issue in prq_event_thread(). drivers/iommu/intel/svm.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c index 5165cea90421..332365ec3195 100644 --- a/drivers/iommu/intel/svm.c +++ b/drivers/iommu/intel/svm.c @@ -1020,9 +1020,10 @@ static irqreturn_t prq_event_thread(int irq, void *d) resp.qw2 = 0; resp.qw3 = 0; - if (req->priv_data_present) - memcpy(&resp.qw2, req->priv_data, - sizeof(req->priv_data)); + if (req->priv_data_present) { + resp.qw2 = req->priv_data[0]; + resp.qw3 = req->priv_data[1]; + } qi_submit_sync(iommu, &resp, 1, 0); } prq_advance: @@ -1194,9 +1195,10 @@ int intel_svm_page_response(struct device *dev, desc.qw1 = QI_PGRP_IDX(prm->grpid) | QI_PGRP_LPIG(last_page); desc.qw2 = 0; desc.qw3 = 0; - if (private_present) - memcpy(&desc.qw2, prm->private_data, - sizeof(prm->private_data)); + if (private_present) { + desc.qw2 = prm->private_data[0]; + desc.qw3 = prm->private_data[1]; + } qi_submit_sync(iommu, &desc, 1, 0); } -- 2.27.0
Powered by blists - more mailing lists