lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <f5db760e-c143-4f6c-9389-309a362f0baf@app.fastmail.com>
Date: Fri, 05 Sep 2025 12:52:44 +0200
From: "Arnd Bergmann" <arnd@...db.de>
To: "Anders Roxell" <anders.roxell@...aro.org>, "Kees Cook" <kees@...nel.org>
Cc: "Bjorn Helgaas" <bhelgaas@...gle.com>,
 "Linaro Kernel Functional Testing" <lkft@...aro.org>,
 "Naresh Kamboju" <naresh.kamboju@...aro.org>, lkft-triage@...ts.linaro.org,
 "Linux Regressions" <regressions@...ts.linux.dev>,
 "Dan Carpenter" <dan.carpenter@...aro.org>,
 "Benjamin Copeland" <benjamin.copeland@...aro.org>,
 linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
 "Peter Zijlstra" <peterz@...radead.org>, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] PCI: Test for bit underflow in pcie_set_readrq()

On Fri, Sep 5, 2025, at 10:16, Anders Roxell wrote:
> On Fri, 5 Sept 2025 at 07:28, Kees Cook <kees@...nel.org> wrote:
>> @@ -5949,7 +5950,10 @@ int pcie_set_readrq(struct pci_dev *dev, int rq)
>>                         rq = mps;
>>         }
>>
>> -       v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
>> +       firstbit = ffs(rq);
>> +       if (firstbit < 8)
>> +               return -EINVAL;
>> +       v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, firstbit - 8);
>
> Hi Kees,
>
> Thank you for looking into this.
>
> These warnings are not a one time thing.  the later versions of gcc
> can figure it
> out that firstbit is at least 8 based on the "rq < 128" (i guess), so
> we're adding
> bogus code.  maybe we should just disable the check for gcc-8.

Out of the three failures I saw, two also happened with gcc-9, but
gcc-10 looks clean so far.

>          \
> +                                       (0 + (_val)) : 0,
>          \
>                                  _pfx "value too large for the field"); \
>                 BUILD_BUG_ON_MSG(__bf_cast_unsigned(_mask, _mask) >     \
>                                  __bf_cast_unsigned(_reg, ~0ull),       \
>
> I found similar patterns with ffs and FIELD_PREP here
> drivers/dma/uniphier-xdmac.c row 156 and 165
> drivers/gpu/drm/i915/display/intel_cursor_regs.h row 17

I did not come across build failures for these.

    Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ