Re: [PATCH] thunderbolt: xdomain: Avoid potential stack OOB read

From: Mika Westerberg
Date: Tue Dec 07 2021 - 07:21:25 EST

Next message: Sameer Pujar: "Re: [PATCH 2/3] dt-bindings: sound: tegra: Update HDA resets"
Previous message: Dan Carpenter: "Re: [PATCH] intel_th: remove redundant re-assignment of pointer hubdrv"
In reply to: Kees Cook: "[PATCH] thunderbolt: xdomain: Avoid potential stack OOB read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Dec 06, 2021 at 10:34:13PM -0800, Kees Cook wrote:
> tb_xdp_properties_changed_request() was calling tb_xdp_handle_error() with
> a struct tb_xdp_properties_changed_response on the stack, which does not
> have the "error" field present when cast to struct tb_xdp_error_response.
> This was detected when building with -Warray-bounds:
>
> drivers/thunderbolt/xdomain.c: In function 'tb_xdomain_properties_changed':
> drivers/thunderbolt/xdomain.c:226:22: error: array subscript 'const struct tb_xdp_error_response[0]' is partly outside array bounds of 'struct tb_xdp_properties_changed_response[1]' [-Werror=array-bounds]
> 226 | switch (error->error) {
> | ~~~~~^~~~~~~
> drivers/thunderbolt/xdomain.c:448:51: note: while referencing 'res'
> 448 | struct tb_xdp_properties_changed_response res;
> | ^~~
>
> Add union containing struct tb_xdp_error_response to structures passed
> to tb_xdp_handle_error(), so that the "error" field will be present.
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

Applied, thanks!

Next message: Sameer Pujar: "Re: [PATCH 2/3] dt-bindings: sound: tegra: Update HDA resets"
Previous message: Dan Carpenter: "Re: [PATCH] intel_th: remove redundant re-assignment of pointer hubdrv"
In reply to: Kees Cook: "[PATCH] thunderbolt: xdomain: Avoid potential stack OOB read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]