lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250725090633.2481650-1-arnd@kernel.org>
Date: Fri, 25 Jul 2025 11:06:28 +0200
From: Arnd Bergmann <arnd@...nel.org>
To: Bjorn Helgaas <bhelgaas@...gle.com>,
	Hans Zhang <18255117159@....com>
Cc: Arnd Bergmann <arnd@...db.de>,
	Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
	Jonathan Cameron <Jonathan.Cameron@...wei.com>,
	Krzysztof Wilczyński <kwilczynski@...nel.org>,
	Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com>,
	Philipp Stanner <phasta@...nel.org>,
	Keith Busch <kbusch@...nel.org>,
	Michał Winiarski <michal.winiarski@...el.com>,
	Krishna Chaitanya Chundru <krishna.chundru@....qualcomm.com>,
	Jiwei Sun <sunjw10@...ovo.com>,
	Niklas Cassel <cassel@...nel.org>,
	linux-pci@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH] PCI: fix out-of-bounds stack access

From: Arnd Bergmann <arnd@...db.de>

The newly added PCI_FIND_NEXT_EXT_CAP function calls a helper that
stores a result using a 32-bit pointer, but passes a shorter local
variable into it. gcc-15 warns about this undefined behavior:

In function 'cdns_pcie_read_cfg',
    inlined from 'cdns_pcie_find_capability' at drivers/pci/controller/cadence/pcie-cadence.c:31:9:
drivers/pci/controller/cadence/pcie-cadence.c:22:22: error: write of 32-bit data outside the bound of destination object, data truncated into 8-bit [-Werror=extra]
   22 |                 *val = cdns_pcie_readb(pcie, where);
      |                 ~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'dw_pcie_read_cfg',
    inlined from 'dw_pcie_find_capability' at drivers/pci/controller/dwc/pcie-designware.c:234:9:
drivers/pci/controller/dwc/pcie-designware.c:225:22: error: write of 32-bit data outside the bound of destination object, data truncated into 8-bit [-Werror=extra]
  225 |                 *val = dw_pcie_readb_dbi(pci, where);
      |                 ~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Change the macro to remove the invalid cast and extend the target
variables as needed.

Fixes: 1b07388f32e1 ("PCI: Refactor extended capability search into PCI_FIND_NEXT_EXT_CAP()")
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
 drivers/pci/pci.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index da5912c2017c..ac954584d991 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -109,17 +109,17 @@ int pci_bus_read_config(void *priv, unsigned int devfn, int where, u32 size,
 ({									\
 	int __ttl = PCI_FIND_CAP_TTL;					\
 	u8 __id, __found_pos = 0;					\
-	u8 __pos = (start);						\
-	u16 __ent;							\
+	u32 __pos = (start);						\
+	u32 __ent;							\
 									\
-	read_cfg(args, __pos, 1, (u32 *)&__pos);			\
+	read_cfg(args, __pos, 1, &__pos);				\
 									\
 	while (__ttl--) {						\
 		if (__pos < PCI_STD_HEADER_SIZEOF)			\
 			break;						\
 									\
 		__pos = ALIGN_DOWN(__pos, 4);				\
-		read_cfg(args, __pos, 2, (u32 *)&__ent);		\
+		read_cfg(args, __pos, 2, &__ent);			\
 									\
 		__id = FIELD_GET(PCI_CAP_ID_MASK, __ent);		\
 		if (__id == 0xff)					\
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ