lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 1 May 2020 08:47:49 +0100
From:   John Garry <john.garry@...wei.com>
To:     Arnd Bergmann <arnd@...db.de>, <linux-kernel@...r.kernel.org>,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        James Bottomley <James.Bottomley@...elEye.com>
CC:     James Bottomley <James.Bottomley@...senPartnership.com>,
        Hannes Reinecke <hare@...e.com>, <linux-scsi@...r.kernel.org>
Subject: Re: [PATCH 13/15] scsi: sas: avoid gcc-10 zero-length-bounds warning

On 30/04/2020 22:30, Arnd Bergmann wrote:
> Two files access the zero-length resp_data[] array, which now
> causes a compiler warning:
> 
> drivers/scsi/aic94xx/aic94xx_tmf.c: In function 'asd_get_tmf_resp_tasklet':
> drivers/scsi/aic94xx/aic94xx_tmf.c:291:22: warning: array subscript 3 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds]
>    291 |   res = ru->resp_data[3];
>        |         ~~~~~~~~~~~~~^~~
> In file included from include/scsi/libsas.h:15,
>                   from drivers/scsi/aic94xx/aic94xx.h:16,
>                   from drivers/scsi/aic94xx/aic94xx_tmf.c:11:
> include/scsi/sas.h:557:9: note: while referencing 'resp_data'
>    557 |  u8     resp_data[0];
>        |         ^~~~~~~~~
> drivers/scsi/libsas/sas_task.c: In function 'sas_ssp_task_response':
> drivers/scsi/libsas/sas_task.c:21:30: warning: array subscript 3 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds]
>     21 |   tstat->stat = iu->resp_data[3];
>        |                 ~~~~~~~~~~~~~^~~
> In file included from include/scsi/scsi_transport_sas.h:8,
>                   from drivers/scsi/libsas/sas_internal.h:14,
>                   from drivers/scsi/libsas/sas_task.c:3:
> include/scsi/sas.h:557:9: note: while referencing 'resp_data'
>    557 |  u8     resp_data[0];
>        |         ^~~~~~~~~
> 
> This should really be a flexible-array member, but the structure
> already has such a member, swapping it out with sense_data[] would
> cause many more warnings elsewhere.
> 


Hi Arnd,

If we really prefer flexible-array members over zero-length array 
members, then could we have a union of flexible-array members? I'm not 
sure if that's a good idea TBH (or even permitted), as these structures 
are defined by the SAS spec and good practice to keep as consistent as 
possible, but just wondering.

Apart from that:

Reviewed-by: John Garry <john.garry@...wei.com>

> As a workaround, add a temporary pointer that can be accessed without
> a warning.
> 
> Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
> Fixes: 366ca51f30de ("[SCSI] libsas: abstract STP task status into a function")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
>   drivers/scsi/aic94xx/aic94xx_tmf.c | 4 +++-
>   drivers/scsi/libsas/sas_task.c     | 3 ++-
>   2 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/aic94xx/aic94xx_tmf.c b/drivers/scsi/aic94xx/aic94xx_tmf.c
> index f814026f26fa..a3139f9766c8 100644
> --- a/drivers/scsi/aic94xx/aic94xx_tmf.c
> +++ b/drivers/scsi/aic94xx/aic94xx_tmf.c
> @@ -269,6 +269,7 @@ static int asd_get_tmf_resp_tasklet(struct asd_ascb *ascb,
>   	struct ssp_frame_hdr *fh;
>   	struct ssp_response_iu   *ru;
>   	int res = TMF_RESP_FUNC_FAILED;
> +	u8 *resp;
>   
>   	ASD_DPRINTK("tmf resp tasklet\n");
>   
> @@ -287,8 +288,9 @@ static int asd_get_tmf_resp_tasklet(struct asd_ascb *ascb,
>   	fh = edb->vaddr + 16;
>   	ru = edb->vaddr + 16 + sizeof(*fh);
>   	res = ru->status;
> +	resp = ru->resp_data;
>   	if (ru->datapres == 1)	  /* Response data present */
> -		res = ru->resp_data[3];
> +		res = resp[3];
>   #if 0
>   	ascb->tag = fh->tag;
>   #endif
> diff --git a/drivers/scsi/libsas/sas_task.c b/drivers/scsi/libsas/sas_task.c
> index e2d42593ce52..4cd2f9611c4a 100644
> --- a/drivers/scsi/libsas/sas_task.c
> +++ b/drivers/scsi/libsas/sas_task.c
> @@ -12,13 +12,14 @@ void sas_ssp_task_response(struct device *dev, struct sas_task *task,
>   			   struct ssp_response_iu *iu)
>   {
>   	struct task_status_struct *tstat = &task->task_status;
> +	u8 *resp = iu->resp_data;
>   
>   	tstat->resp = SAS_TASK_COMPLETE;
>   
>   	if (iu->datapres == 0)
>   		tstat->stat = iu->status;
>   	else if (iu->datapres == 1)
> -		tstat->stat = iu->resp_data[3];
> +		tstat->stat = resp[3];
>   	else if (iu->datapres == 2) {
>   		tstat->stat = SAM_STAT_CHECK_CONDITION;
>   		tstat->buf_valid_size =
> 

Powered by blists - more mailing lists