| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250725200552.GA3111469@bhelgaas>
Date: Fri, 25 Jul 2025 15:05:52 -0500
From: Bjorn Helgaas <helgaas@...nel.org>
To: Arnd Bergmann <arnd@...nel.org>
Cc: Bjorn Helgaas <bhelgaas@...gle.com>, Hans Zhang <18255117159@....com>,
Arnd Bergmann <arnd@...db.de>,
Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
Jonathan Cameron <Jonathan.Cameron@...wei.com>,
Krzysztof Wilczyński <kwilczynski@...nel.org>,
Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com>,
Philipp Stanner <phasta@...nel.org>,
Keith Busch <kbusch@...nel.org>,
Michał Winiarski <michal.winiarski@...el.com>,
Krishna Chaitanya Chundru <krishna.chundru@....qualcomm.com>,
Jiwei Sun <sunjw10@...ovo.com>, Niklas Cassel <cassel@...nel.org>,
linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] PCI: fix out-of-bounds stack access
On Fri, Jul 25, 2025 at 11:06:28AM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> The newly added PCI_FIND_NEXT_EXT_CAP function calls a helper that
> stores a result using a 32-bit pointer, but passes a shorter local
> variable into it. gcc-15 warns about this undefined behavior:
>
> In function 'cdns_pcie_read_cfg',
> inlined from 'cdns_pcie_find_capability' at drivers/pci/controller/cadence/pcie-cadence.c:31:9:
> drivers/pci/controller/cadence/pcie-cadence.c:22:22: error: write of 32-bit data outside the bound of destination object, data truncated into 8-bit [-Werror=extra]
> 22 | *val = cdns_pcie_readb(pcie, where);
> | ~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In function 'dw_pcie_read_cfg',
> inlined from 'dw_pcie_find_capability' at drivers/pci/controller/dwc/pcie-designware.c:234:9:
> drivers/pci/controller/dwc/pcie-designware.c:225:22: error: write of 32-bit data outside the bound of destination object, data truncated into 8-bit [-Werror=extra]
> 225 | *val = dw_pcie_readb_dbi(pci, where);
> | ~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Change the macro to remove the invalid cast and extend the target
> variables as needed.
>
> Fixes: 1b07388f32e1 ("PCI: Refactor extended capability search into PCI_FIND_NEXT_EXT_CAP()")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
Squashed into that commit, thanks, Arnd!
https://git.kernel.org/cgit/linux/kernel/git/pci/pci.git/commit/?id=2502a619108b
> ---
> drivers/pci/pci.h | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
> index da5912c2017c..ac954584d991 100644
> --- a/drivers/pci/pci.h
> +++ b/drivers/pci/pci.h
> @@ -109,17 +109,17 @@ int pci_bus_read_config(void *priv, unsigned int devfn, int where, u32 size,
> ({ \
> int __ttl = PCI_FIND_CAP_TTL; \
> u8 __id, __found_pos = 0; \
> - u8 __pos = (start); \
> - u16 __ent; \
> + u32 __pos = (start); \
> + u32 __ent; \
> \
> - read_cfg(args, __pos, 1, (u32 *)&__pos); \
> + read_cfg(args, __pos, 1, &__pos); \
> \
> while (__ttl--) { \
> if (__pos < PCI_STD_HEADER_SIZEOF) \
> break; \
> \
> __pos = ALIGN_DOWN(__pos, 4); \
> - read_cfg(args, __pos, 2, (u32 *)&__ent); \
> + read_cfg(args, __pos, 2, &__ent); \
> \
> __id = FIELD_GET(PCI_CAP_ID_MASK, __ent); \
> if (__id == 0xff) \
> --
> 2.39.5
>
Powered by blists - more mailing lists