lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250709205910.3107691-1-kuba@kernel.org>
Date: Wed,  9 Jul 2025 13:59:10 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: davem@...emloft.net
Cc: netdev@...r.kernel.org,
	edumazet@...gle.com,
	pabeni@...hat.com,
	andrew+netdev@...n.ch,
	horms@...nel.org,
	Jakub Kicinski <kuba@...nel.org>,
	Alexander Duyck <alexanderduyck@...com>,
	jacob.e.keller@...el.com,
	lee@...ger.us
Subject: [PATCH net-next] eth: fbnic: fix ubsan complaints about OOB accesses

UBSAN complains that we reach beyond the end of the log entry:

   UBSAN: array-index-out-of-bounds in drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c:94:50
   index 71 is out of range for type 'char [*]'
   Call Trace:
    <TASK>
    ubsan_epilogue+0x5/0x2b
    fbnic_fw_log_write+0x120/0x960
    fbnic_fw_parse_logs+0x161/0x210

We're just taking the address of the character after the array,
so this really seems like something that should be legal.
But whatever, easy enough to silence by doing direct pointer math.

Fixes: c2b93d6beca8 ("eth: fbnic: Create ring buffer for firmware logs")
Reviewed-by: Alexander Duyck <alexanderduyck@...com>
Signed-off-by: Jakub Kicinski <kuba@...nel.org>
---
CC: alexanderduyck@...com
CC: jacob.e.keller@...el.com
CC: lee@...ger.us
---
 drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c b/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
index 38749d47cee6..c1663f042245 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
@@ -91,16 +91,16 @@ int fbnic_fw_log_write(struct fbnic_dev *fbd, u64 index, u32 timestamp,
 		entry = log->data_start;
 	} else {
 		head = list_first_entry(&log->entries, typeof(*head), list);
-		entry = (struct fbnic_fw_log_entry *)&head->msg[head->len + 1];
-		entry = PTR_ALIGN(entry, 8);
+		entry_end = head->msg + head->len + 1;
+		entry = PTR_ALIGN(entry_end, 8);
 	}
 
-	entry_end = &entry->msg[msg_len + 1];
+	entry_end = entry->msg + msg_len + 1;
 
 	/* We've reached the end of the buffer, wrap around */
 	if (entry_end > log->data_end) {
 		entry = log->data_start;
-		entry_end = &entry->msg[msg_len + 1];
+		entry_end = entry->msg + msg_len + 1;
 	}
 
 	/* Make room for entry by removing from tail. */
-- 
2.50.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ