lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 24 Feb 2024 13:11:34 +0100
From: Arnd Bergmann <arnd@...nel.org>
To: Jonathan Cameron <jic23@...nel.org>
Cc: Arnd Bergmann <arnd@...db.de>,
	Lars-Peter Clausen <lars@...afoo.de>,
	Nathan Chancellor <nathan@...nel.org>,
	Nick Desaulniers <ndesaulniers@...gle.com>,
	Bill Wendling <morbo@...gle.com>,
	Justin Stitt <justinstitt@...gle.com>,
	Uwe Kleine-König <u.kleine-koenig@...gutronix.de>,
	linux-iio@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	llvm@...ts.linux.dev
Subject: [PATCH] iio: avoid fortify-string overflow error

From: Arnd Bergmann <arnd@...db.de>

The memcpy() call in dlhl60d.c triggers a check with clang-19:

In file included from drivers/iio/pressure/dlhl60d.c:11:
In file included from include/linux/module.h:17:
include/linux/fortify-string.h:553:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
  553 |                         __write_overflow_field(p_size_field, size);
      |                         ^

It writes into a two member array from a loop over a linked list
that likely has some indication of having more than two entries.

Add a conditional check there to avoid the overflow.

Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
 drivers/iio/pressure/dlhl60d.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/iio/pressure/dlhl60d.c b/drivers/iio/pressure/dlhl60d.c
index 28c8269ba65d..a43ecda849db 100644
--- a/drivers/iio/pressure/dlhl60d.c
+++ b/drivers/iio/pressure/dlhl60d.c
@@ -262,6 +262,8 @@ static irqreturn_t dlh_trigger_handler(int irq, void *private)
 			&st->rx_buf[1] + chn * DLH_NUM_DATA_BYTES,
 			DLH_NUM_DATA_BYTES);
 		i++;
+		if (i >= ARRAY_SIZE(tmp_buf))
+			break;
 	}
 
 	iio_push_to_buffers(indio_dev, tmp_buf);
-- 
2.39.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ