lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 2 Feb 2022 15:03:51 -0800
From:   Kees Cook <>
To:     Chris Zankel <>, Max Filippov <>
Subject: How large is the xtensa pt_regs::areg array supposed to be?


When building with -Warray-bounds, I see this:

In file included from ./include/linux/uaccess.h:11,
                 from ./include/linux/sched/task.h:11,
                 from arch/xtensa/kernel/process.c:21:
arch/xtensa/kernel/process.c: In function 'copy_thread':
arch/xtensa/kernel/process.c:262:52: warning: array subscript 53 is above array bounds of 'long unsigned int[16]' [-Warray-bounds]
  262 |                                 put_user(regs->areg[caller_ars+1],
./arch/xtensa/include/asm/uaccess.h:171:18: note: in definition of macro '__put_user_asm'
  171 |         :[x] "r"(x_), [efault] "i"(-EFAULT))
      |                  ^~
./arch/xtensa/include/asm/uaccess.h:89:17: note: in expansion of macro '__put_user_size'
   89 |                 __put_user_size((x), __pu_addr, (size), __pu_err);      \
      |                 ^~~~~~~~~~~~~~~
./arch/xtensa/include/asm/uaccess.h:62:33: note: in expansion of macro '__put_user_check'
   62 | #define put_user(x, ptr)        __put_user_check((x), (ptr), sizeof(*(ptr)))
      |                                 ^~~~~~~~~~~~~~~~
arch/xtensa/kernel/process.c:262:33: note: in expansion of macro 'put_user'
  262 |                                 put_user(regs->areg[caller_ars+1],
      |                                 ^~~~~~~~
In file included from ./arch/xtensa/include/asm/processor.h:17,
                 from ./arch/xtensa/include/asm/thread_info.h:20,
                 from ./arch/xtensa/include/asm/current.h:14,
                 from ./include/linux/sched.h:12,
                 from arch/xtensa/kernel/process.c:19:
./arch/xtensa/include/asm/ptrace.h:80:23: note: while referencing 'areg'
   80 |         unsigned long areg[16];
      |                       ^~~~

The code is:
                                int callinc = (regs->areg[0] >> 30) & 3;
                                int caller_ars = XCHAL_NUM_AREGS - callinc * 4;
                                         (unsigned __user*)(usp - 12));

It looks like XCHAL_NUM_AREGS is larger than "16", though?

struct pt_regs {
        unsigned long areg[16];

What should be happening here?


Kees Cook

Powered by blists - more mailing lists