lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251121235153.GK233636@ziepe.ca>
Date: Fri, 21 Nov 2025 19:51:53 -0400
From: Jason Gunthorpe <jgg@...pe.ca>
To: Nirbhay Sharma <nirbhay.lkd@...il.com>
Cc: Kevin Tian <kevin.tian@...el.com>, Shuah Khan <shuah@...nel.org>,
	iommu@...ts.linux.dev, linux-kselftest@...r.kernel.org,
	linux-kernel@...r.kernel.org, david.hunter.linux@...il.com,
	linux-kernel-mentees@...ts.linuxfoundation.org
Subject: Re: [PATCH] selftests/iommu: Fix array-bounds warning in get_hw_info

On Fri, Nov 14, 2025 at 01:38:55AM +0530, Nirbhay Sharma wrote:
> GCC warns about potential out-of-bounds access when the test provides
> a buffer smaller than struct iommu_test_hw_info:
> 
> iommufd_utils.h:817:37: warning: array subscript 'struct
> iommu_test_hw_info[0]' is partly outside array bounds of 'struct
> iommu_test_hw_info_buffer_smaller[1]'
> [-Warray-bounds=]
>   817 |                         assert(!info->flags);
>       |                                 ~~~~^~~~~~~
> 
> The warning occurs because 'info' is cast to a pointer to the full
> 8-byte struct at the top of the function, but the buffer_smaller test
> case passes only a 4-byte buffer. While the code correctly checks
> data_len before accessing each field, GCC's flow analysis with inlining
> doesn't recognize that the size check protects the access.
> 
> Fix this by accessing fields through appropriately-typed pointers that
> match the actual field sizes (__u32), declared only after the bounds
> check. This makes the relationship between the size check and memory
> access explicit to the compiler.
> 
> Signed-off-by: Nirbhay Sharma <nirbhay.lkd@...il.com>
> ---
>  tools/testing/selftests/iommu/iommufd_utils.h | 19 +++++++++++++------
>  1 file changed, 13 insertions(+), 6 deletions(-)
> 
> diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h
> index 9f472c20c190..37c1b994008c 100644
> --- a/tools/testing/selftests/iommu/iommufd_utils.h
> +++ b/tools/testing/selftests/iommu/iommufd_utils.h
> @@ -770,7 +770,6 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type,
>  				 void *data, size_t data_len,
>  				 uint32_t *capabilities, uint8_t *max_pasid)
>  {
> -	struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data;
>  	struct iommu_hw_info cmd = {
>  		.size = sizeof(cmd),
>  		.dev_id = device_id,
> @@ -810,11 +809,19 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type,
>  		}
>  	}
>  
> -	if (info) {
> -		if (data_len >= offsetofend(struct iommu_test_hw_info, test_reg))
> -			assert(info->test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL);
> -		if (data_len >= offsetofend(struct iommu_test_hw_info, flags))
> -			assert(!info->flags);
> +	if (data) {
> +		if (data_len >= offsetofend(struct iommu_test_hw_info,
> +					    test_reg)) {
> +			__u32 *test_reg = (__u32 *)data + 1;

This seems too obfuscated, can't we keep the struct somehow and still
remove the warning?

I also feel like you have a compiler bug here, if gcc has inlined
enough to know the size of data then it surely should know the
constant value of data_len?

Failing that, how about just change the caller, maybe like this:

--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -760,6 +760,7 @@ TEST_F(iommufd_ioas, get_hw_info)
        } buffer_larger;
        struct iommu_test_hw_info_buffer_smaller {
                __u32 flags;
+               struct iommu_test_hw_info dummy;
        } buffer_smaller;
 
        if (self->device_id) {
@@ -791,9 +792,11 @@ TEST_F(iommufd_ioas, get_hw_info)
                 * Provide a user_buffer with size smaller than the exact size to check if
                 * the fields within the size range still gets updated.
                 */
-               test_cmd_get_hw_info(self->device_id,
-                                    IOMMU_HW_INFO_TYPE_DEFAULT,
-                                    &buffer_smaller, sizeof(buffer_smaller));
+               test_cmd_get_hw_info(
+                       self->device_id, IOMMU_HW_INFO_TYPE_DEFAULT,
+                       &buffer_smaller,
+                       offsetofend(struct iommu_test_hw_info_buffer_smaller,
+                                   flags));
                test_cmd_get_hw_info_pasid(self->device_id, &max_pasid);
                ASSERT_EQ(0, max_pasid);
                if (variant->pasid_capable) {

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ