lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <s5hzgpcond5.wl-tiwai@suse.de>
Date:   Tue, 07 Dec 2021 09:00:54 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     Kees Cook <keescook@...omium.org>
Cc:     Jaroslav Kysela <perex@...ex.cz>, Takashi Iwai <tiwai@...e.com>,
        linux-kernel@...r.kernel.org, alsa-devel@...a-project.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH] ALSA: mixart: Reduce size of mixart_timer_notify

On Tue, 07 Dec 2021 07:29:41 +0100,
Kees Cook wrote:
> 
> The mixart_timer_notify structure was larger than could be represented
> by the mixart_msg_data array storage. Adjust the size to as large as
> possible to fix the warning seen with -Warray-bounds builds:
> 
> sound/pci/mixart/mixart_core.c: In function 'snd_mixart_threaded_irq':
> sound/pci/mixart/mixart_core.c:447:50: error: array subscript 'struct mixart_timer_notify[0]' is partly outside array bounds of 'u32[128]' {aka 'unsigned int[128]'} [-Werror=array-bounds]
>   447 |                                 for(i=0; i<notify->stream_count; i++) {
>       |                                                  ^~
> sound/pci/mixart/mixart_core.c:328:12: note: while referencing 'mixart_msg_data'
>   328 | static u32 mixart_msg_data[MSG_DEFAULT_SIZE / 4];
>       |            ^~~~~~~~~~~~~~~
> 
> Signed-off-by: Kees Cook <keescook@...omium.org>

Thanks, applied now.

> @@ -444,6 +442,7 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id)
>  				struct mixart_timer_notify *notify;
>  				notify = (struct mixart_timer_notify *)mixart_msg_data;
>  
> +				BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data));
>  				for(i=0; i<notify->stream_count; i++) {
>  
>  					u32 buffer_id = notify->streams[i].buffer_id;

I guess we should add the array boundary check of
notify->stream_count, instead of fully relying on the hardware reply,
too.  Will submit the additional check.


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ