# git rev-parse -q --verify a73bbfba991f8bb5d1814affcf1f7642ca0cdd35^{commit} a73bbfba991f8bb5d1814affcf1f7642ca0cdd35 already have revision, skipping fetch # git checkout -q -f -B kisskb a73bbfba991f8bb5d1814affcf1f7642ca0cdd35 # git clean -qxdf # < git log -1 # commit a73bbfba991f8bb5d1814affcf1f7642ca0cdd35 # Author: Gustavo A. R. Silva # Date: Wed Mar 10 19:40:43 2021 -0600 # # media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() # # Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of # its msg_data array from 4 to 5 elements. Notice that at some point # the 5th element of msg_data is being accessed in function # smscore_load_firmware_family2(): # # 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ # # Also, there is no need for the object _trigger_msg_ of type struct # sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data # in struct sms_msg_data is a one-element array, which causes multiple # out-of-bounds warnings when accessing beyond its first element # in function smscore_load_firmware_family2(): # # 992 struct sms_msg_data *trigger_msg = # 993 (struct sms_msg_data *) msg; # 994 # 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); # 996 SMS_INIT_MSG(&msg->x_msg_header, # 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, # 998 sizeof(struct sms_msg_hdr) + # 999 sizeof(u32) * 5); # 1000 # 1001 trigger_msg->msg_data[0] = firmware->start_address; # 1002 /* Entry point */ # 1003 trigger_msg->msg_data[1] = 6; /* Priority */ # 1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */ # 1005 trigger_msg->msg_data[3] = 0; /* Parameter */ # 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ # # even when enough dynamic memory is allocated for _msg_: # # 929 /* PAGE_SIZE buffer shall be enough and dma aligned */ # 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags); # # but as _msg_ is casted to (struct sms_msg_data *): # # 992 struct sms_msg_data *trigger_msg = # 993 (struct sms_msg_data *) msg; # # the out-of-bounds warnings are actually valid and should be addressed. # # Fix this by declaring object _msg_ of type struct sms_msg_data5 *, # which contains a 5-elements array, instead of just 4. And use # _msg_ directly, instead of creating object trigger_msg. # # This helps with the ongoing efforts to enable -Warray-bounds by fixing # the following warnings: # # CC [M] drivers/media/common/siano/smscoreapi.o # drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’: # drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] # 1003 | trigger_msg->msg_data[1] = 6; /* Priority */ # | ~~~~~~~~~~~~~~~~~~~~~^~~ # In file included from drivers/media/common/siano/smscoreapi.c:12: # drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ # 619 | u32 msg_data[1]; # | ^~~~~~~~ # drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] # 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */ # | ~~~~~~~~~~~~~~~~~~~~~^~~ # In file included from drivers/media/common/siano/smscoreapi.c:12: # drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ # 619 | u32 msg_data[1]; # | ^~~~~~~~ # drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] # 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */ # | ~~~~~~~~~~~~~~~~~~~~~^~~ # In file included from drivers/media/common/siano/smscoreapi.c:12: # drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ # 619 | u32 msg_data[1]; # | ^~~~~~~~ # drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] # 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */ # | ~~~~~~~~~~~~~~~~~~~~~^~~ # In file included from drivers/media/common/siano/smscoreapi.c:12: # drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ # 619 | u32 msg_data[1]; # | ^~~~~~~~ # # Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares") # Co-developed-by: Kees Cook # Signed-off-by: Kees Cook # Signed-off-by: Gustavo A. R. Silva # < /opt/cross/kisskb/korg/gcc-4.9.4-nolibc/i386-linux/bin/i386-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-4.9.4-nolibc/i386-linux/bin/i386-linux-ld --version # < git log --format=%s --max-count=1 a73bbfba991f8bb5d1814affcf1f7642ca0cdd35 # < make -s -j 8 ARCH=i386 O=/kisskb/build/gustavoars_i386-allnoconfig_i386-gcc4.9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-4.9.4-nolibc/i386-linux/bin/i386-linux- allnoconfig # < make -s -j 8 ARCH=i386 O=/kisskb/build/gustavoars_i386-allnoconfig_i386-gcc4.9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-4.9.4-nolibc/i386-linux/bin/i386-linux- help # make -s -j 8 ARCH=i386 O=/kisskb/build/gustavoars_i386-allnoconfig_i386-gcc4.9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-4.9.4-nolibc/i386-linux/bin/i386-linux- olddefconfig # make -s -j 8 ARCH=i386 O=/kisskb/build/gustavoars_i386-allnoconfig_i386-gcc4.9 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-4.9.4-nolibc/i386-linux/bin/i386-linux- Completed OK # rm -rf /kisskb/build/gustavoars_i386-allnoconfig_i386-gcc4.9 # Build took: 0:00:36.924730