lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <90e419ad-4036-4669-a4cc-8ce5d29e464b@infradead.org>
Date: Fri, 19 Dec 2025 20:20:13 -0800
From: Randy Dunlap <rdunlap@...radead.org>
To: Kees Cook <kees@...nel.org>, kasan-dev@...glegroups.com,
 linux-hardening@...r.kernel.org
Subject: UBSAN: array-index-out-of-bounds


from kernel bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=220823


Dec 15 22:01:52 orpheus kernel: UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.18.1/work/linux-6.18/drivers/mtd/devices/mtd_intel_dg.c:750:15


(from drivers/mtd/devices/mtd_intel_dg.c:)

	nvm = kzalloc(struct_size(nvm, regions, nregions), GFP_KERNEL);
...

	for (n = 0, i = 0; i < INTEL_DG_NVM_REGIONS; i++) {
		if (!invm->regions[i].name)
			continue;

		char *name = kasprintf(GFP_KERNEL, "%s.%s",
				       dev_name(&aux_dev->dev), invm->regions[i].name);
		if (!name)
			continue;
750:		nvm->regions[n].name = name;
		nvm->regions[n].id = i;
		n++;
	}
	nvm->nregions = n;


regions is a flexible array in struct intel_dg_nvm *nvm; [see below]
regions is counted_by nvm->nregions.

Question: does UBSAN use the value of the counted_by variable for array bounds
checking?
If so, that means nvm->nregions must be updated before the array entry
is used. Is that correct?

If not, how does UBSAN do array-bounds checking in cases like this?


struct intel_dg_nvm {
	struct kref refcnt;
	struct mtd_info mtd;
	struct mutex lock; /* region access lock */
	void __iomem *base;
	void __iomem *base2;
	bool non_posted_erase;

	size_t size;
	unsigned int nregions;
	struct {
		const char *name;
		u8 id;
		u64 offset;
		u64 size;
		unsigned int is_readable:1;
		unsigned int is_writable:1;
	} regions[] __counted_by(nregions);
};

thanks.
-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ