| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Jan 2022 06:31:55 +0000
From: "Tanislav, Cosmin" <Cosmin.Tanislav@...log.com>
To: Kees Cook <keescook@...omium.org>,
Lars-Peter Clausen <lars@...afoo.de>
CC: "Hennerich, Michael" <Michael.Hennerich@...log.com>,
Jonathan Cameron <jic23@...nel.org>,
"linux-iio@...r.kernel.org" <linux-iio@...r.kernel.org>,
Linus Walleij <linus.walleij@...aro.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>
Subject: RE: [PATCH v2] iio: addac: Do not reference negative array offsets
Reviewed-by: Cosmin Tanislav <cosmin.tanislav@...log.com>
Put "iio: addac: ad74413r:" in patch title, maybe?
> -----Original Message-----
> From: Kees Cook <keescook@...omium.org>
> Sent: Wednesday, January 5, 2022 8:02 PM
> To: Lars-Peter Clausen <lars@...afoo.de>
> Cc: Kees Cook <keescook@...omium.org>; Hennerich, Michael
> <Michael.Hennerich@...log.com>; Tanislav, Cosmin
> <Cosmin.Tanislav@...log.com>; Jonathan Cameron <jic23@...nel.org>;
> linux-iio@...r.kernel.org; Linus Walleij <linus.walleij@...aro.org>; linux-
> kernel@...r.kernel.org; linux-hardening@...r.kernel.org
> Subject: [PATCH v2] iio: addac: Do not reference negative array offsets
>
> [External]
>
> Instead of aiming rx_buf at an invalid array-boundary-crossing location,
> just skip the first increment. Fixes this warning seen when building
> with -Warray-bounds:
>
> drivers/iio/addac/ad74413r.c: In function 'ad74413r_update_scan_mode':
> drivers/iio/addac/ad74413r.c:843:22: warning: array subscript -4 is below
> array bounds of 'u8[16]' { aka 'unsigned char[16]'} [-Warray-bounds]
> 843 | u8 *rx_buf = &st->adc_samples_buf.rx_buf[-1 *
> AD74413R_FRAME_SIZE];
> |
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/iio/addac/ad74413r.c:84:20: note: while referencing 'rx_buf'
> 84 | u8 rx_buf[AD74413R_FRAME_SIZE *
> AD74413R_CHANNEL_MAX];
> | ^~~~~~
>
> Cc: Lars-Peter Clausen <lars@...afoo.de>
> Cc: Michael Hennerich <Michael.Hennerich@...log.com>
> Cc: Cosmin Tanislav <cosmin.tanislav@...log.com>
> Cc: Jonathan Cameron <jic23@...nel.org>
> Cc: linux-iio@...r.kernel.org
> Fixes: fea251b6a5db ("iio: addac: add AD74413R driver")
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> v1:
> https://urldefense.com/v3/__https://lore.kernel.org/lkml/20211215232321.
> 2069314-1-
> keescook@...omium.org/__;!!A3Ni8CS0y2Y!vadcwdERjyNVz3vFIp5m5S2ms
> oFHro8aKzH9ulwPevCKHpev6D53gibZrv5U9mPHGcoB$
> v2:
> - use "xfer" for checking "first through the loop"
> ---
> drivers/iio/addac/ad74413r.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iio/addac/ad74413r.c b/drivers/iio/addac/ad74413r.c
> index 5271073bb74e..aba9a643a4ca 100644
> --- a/drivers/iio/addac/ad74413r.c
> +++ b/drivers/iio/addac/ad74413r.c
> @@ -840,7 +840,7 @@ static int ad74413r_update_scan_mode(struct iio_dev
> *indio_dev,
> {
> struct ad74413r_state *st = iio_priv(indio_dev);
> struct spi_transfer *xfer = st->adc_samples_xfer;
> - u8 *rx_buf = &st->adc_samples_buf.rx_buf[-1 *
> AD74413R_FRAME_SIZE];
> + u8 *rx_buf = st->adc_samples_buf.rx_buf;
> u8 *tx_buf = st->adc_samples_tx_buf;
> unsigned int channel;
> int ret = -EINVAL;
> @@ -894,9 +894,10 @@ static int ad74413r_update_scan_mode(struct
> iio_dev *indio_dev,
>
> spi_message_add_tail(xfer, &st->adc_samples_msg);
>
> - xfer++;
> tx_buf += AD74413R_FRAME_SIZE;
> - rx_buf += AD74413R_FRAME_SIZE;
> + if (xfer != st->adc_samples_xfer)
> + rx_buf += AD74413R_FRAME_SIZE;
> + xfer++;
> }
>
> xfer->rx_buf = rx_buf;
> --
> 2.30.2
Powered by blists - more mailing lists