From nobody Wed Dec 17 10:45:13 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B24920DD66 for ; Tue, 18 Mar 2025 14:12:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742307146; cv=none; b=gLPkBXH6a4j6qpuf+bQTDx2dIAjjdkVmPpZmECVmml66FZKNczvzbo4GqysaltCDELWE+kJk1Q4oPGC4UoEOyk0Xf+JYDoB2Zpyrdd0CF3eOXfH4is1DstY9XEWSg5sR/FUogWqfwYuQiEEUFUNMvZwvqhoUwDEyCb/Pu6zZkQo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742307146; c=relaxed/simple; bh=Pj3Gsb3J5K7ZnWgFb8ao+Ke3XNZlewIDhLds9XnICfc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gjcXWyQGRQxIpcO8P2gDGSvtA4jRZ1voq9hVwlOE/7LcSKmhI1lklDheKlUID2PL4RohOHU6rrRbmC1lXgauWnkEyvjy+Ho5+2n/GHhM1Jxe5bgv7wQtBYm0sHkhHqY1wEh1cLhz2RbqplkOcBo9goe7Wxpwo9e6tOsuWVEIWkA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Q1hXJ9f2; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Q1hXJ9f2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1742307143; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+FTvVk7+dqWugexVpdVFmTnscNlvCQwjnVz1qXGJZ8Y=; b=Q1hXJ9f2IqpUrE57bv0uyWkXUHv6VYbK7pfTnTL6wmEetCOCYBzFZue36svaN332KHfqLB Ti+7DQGhy7KodtgiSNB7i3WmJ+1n414oYz/HHKLFNQIucBPithvs04sr0EIqmiOA9T7y1z f7/naUKqE1szgRaG4C+iUYJF6ptkDPQ= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-201-WqBdGoKrMsKDjNJhrmKXIg-1; Tue, 18 Mar 2025 10:12:20 -0400 X-MC-Unique: WqBdGoKrMsKDjNJhrmKXIg-1 X-Mimecast-MFC-AGG-ID: WqBdGoKrMsKDjNJhrmKXIg_1742307138 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D93DF180025F; Tue, 18 Mar 2025 14:12:17 +0000 (UTC) Received: from localhost.localdomain (unknown [10.44.34.223]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 25CBF1828A93; Tue, 18 Mar 2025 14:12:13 +0000 (UTC) From: Hans de Goede To: Wentong Wu , Alexander Usyskin , Arnd Bergmann , Greg Kroah-Hartman Cc: Hans de Goede , Sakari Ailus , Stanislaw Gruszka , linux-kernel@vger.kernel.org, stable@kernel.org Subject: [PATCH 1/2] mei: vsc: Fix fortify-panic caused by invalid counted_by() use Date: Tue, 18 Mar 2025 15:12:02 +0100 Message-ID: <20250318141203.94342-2-hdegoede@redhat.com> In-Reply-To: <20250318141203.94342-1-hdegoede@redhat.com> References: <20250318141203.94342-1-hdegoede@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length *without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered: [ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer siz= e 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fort= ify_report+0x45/0x50 ... [ 80.843175] __fortify_panic+0x9/0xb [ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] [ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 [ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] [ 80.843270] mei_reset+0x11d/0x420 [mei] The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsc_tp_xfer_helper() which only contains enough room for the packet-header, all other uses of vsc_tp_packet always use a buffer of VSC_TP_MAX_XFER_SIZE bytes for the packet. Instead of just dropping the counted-by, split the vsc_tp_packet struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled. Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") Cc: stable@kernel.org Signed-off-by: Hans de Goede Reviewed-by: Alexander Usyskin Reviewed-by: Sakari Ailus --- drivers/misc/mei/vsc-tp.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index 7be1649b1972..fa553d4914b6 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -36,20 +36,24 @@ #define VSC_TP_XFER_TIMEOUT_BYTES 700 #define VSC_TP_PACKET_PADDING_SIZE 1 #define VSC_TP_PACKET_SIZE(pkt) \ - (sizeof(struct vsc_tp_packet) + le16_to_cpu((pkt)->len) + VSC_TP_CRC_SIZE) + (sizeof(struct vsc_tp_packet_hdr) + le16_to_cpu((pkt)->hdr.len) + VSC_TP_= CRC_SIZE) #define VSC_TP_MAX_PACKET_SIZE \ - (sizeof(struct vsc_tp_packet) + VSC_TP_MAX_MSG_SIZE + VSC_TP_CRC_SIZE) + (sizeof(struct vsc_tp_packet_hdr) + VSC_TP_MAX_MSG_SIZE + VSC_TP_CRC_SIZE) #define VSC_TP_MAX_XFER_SIZE \ (VSC_TP_MAX_PACKET_SIZE + VSC_TP_XFER_TIMEOUT_BYTES) #define VSC_TP_NEXT_XFER_LEN(len, offset) \ - (len + sizeof(struct vsc_tp_packet) + VSC_TP_CRC_SIZE - offset + VSC_TP_P= ACKET_PADDING_SIZE) + (len + sizeof(struct vsc_tp_packet_hdr) + VSC_TP_CRC_SIZE - offset + VSC_= TP_PACKET_PADDING_SIZE) =20 -struct vsc_tp_packet { +struct vsc_tp_packet_hdr { __u8 sync; __u8 cmd; __le16 len; __le32 seq; - __u8 buf[] __counted_by(len); +}; + +struct vsc_tp_packet { + struct vsc_tp_packet_hdr hdr; + __u8 buf[VSC_TP_MAX_XFER_SIZE - sizeof(struct vsc_tp_packet_hdr)]; }; =20 struct vsc_tp { @@ -158,12 +162,12 @@ static int vsc_tp_dev_xfer(struct vsc_tp *tp, void *o= buf, void *ibuf, size_t len static int vsc_tp_xfer_helper(struct vsc_tp *tp, struct vsc_tp_packet *pkt, void *ibuf, u16 ilen) { - int ret, offset =3D 0, cpy_len, src_len, dst_len =3D sizeof(struct vsc_tp= _packet); + int ret, offset =3D 0, cpy_len, src_len, dst_len =3D sizeof(struct vsc_tp= _packet_hdr); int next_xfer_len =3D VSC_TP_PACKET_SIZE(pkt) + VSC_TP_XFER_TIMEOUT_BYTES; u8 *src, *crc_src, *rx_buf =3D tp->rx_buf; int count_down =3D VSC_TP_MAX_XFER_COUNT; u32 recv_crc =3D 0, crc =3D ~0; - struct vsc_tp_packet ack; + struct vsc_tp_packet_hdr ack; u8 *dst =3D (u8 *)&ack; bool synced =3D false; =20 @@ -280,10 +284,10 @@ int vsc_tp_xfer(struct vsc_tp *tp, u8 cmd, const void= *obuf, size_t olen, =20 guard(mutex)(&tp->mutex); =20 - pkt->sync =3D VSC_TP_PACKET_SYNC; - pkt->cmd =3D cmd; - pkt->len =3D cpu_to_le16(olen); - pkt->seq =3D cpu_to_le32(++tp->seq); + pkt->hdr.sync =3D VSC_TP_PACKET_SYNC; + pkt->hdr.cmd =3D cmd; + pkt->hdr.len =3D cpu_to_le16(olen); + pkt->hdr.seq =3D cpu_to_le32(++tp->seq); memcpy(pkt->buf, obuf, olen); =20 crc =3D ~crc32(~0, (u8 *)pkt, sizeof(pkt) + olen); --=20 2.48.1 From nobody Wed Dec 17 10:45:13 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E87D620E312 for ; Tue, 18 Mar 2025 14:12:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742307156; cv=none; b=pcSb49m8YnAL1XWRdtniK86wACJ+PEpO4MFvFIYt8HrYuchePcw50SWjarbQ5MgjqJi5YJQOqrSvOWP+X0qxGyP3VTny0A/ae61/xxf2nZbMWYV3lCHS8i7XwxTaMtzfP2fUzwUZhDi1RsMKrwAXItU+euSPG2namBTAxVWqihw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742307156; c=relaxed/simple; bh=GifJrWuPVJozp4n+UdUp77Wx5+cTafBy0Gd/TOq8So8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lFSQ652IV+RLe1v+qp8J9lfmI/wVRTjc35fkbOJWguu8y8mIK5IRz8NXIJeIMPjIh+6Se85ndmhtn4lcyK8o1u1+HT9IbiH0s/d9akmvn75DWZPn0C7B4tnI7lZwNO8X2nJLR/yNt4xuxh9sDG9dsGrht0/Gfqj8kbroiZQ9SHs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=VNNVxtvX; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="VNNVxtvX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1742307149; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OmuvixtjXrHwSsLuKUsySwx5J9oRsTZ4y25whh4BLkw=; b=VNNVxtvXwcSTP2ElwxYmBsbz7x6Vg7P9nm4qydAdlhQ2SEHmNiRHaw+Opgx4fCNhd3rOtg dsudTHMulCMwvrJqQ1VOBB0sG0nPEsVj92D+s4lE8Vs570Jw9RPbG8ya4SskmVLz1KzOxr al6X8oSPYji09G1j+Onjq+cBXXWbbJk= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-222-oZPdWGulMa6CA4FM_5wGEQ-1; Tue, 18 Mar 2025 10:12:23 -0400 X-MC-Unique: oZPdWGulMa6CA4FM_5wGEQ-1 X-Mimecast-MFC-AGG-ID: oZPdWGulMa6CA4FM_5wGEQ_1742307142 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id ED80F180025C; Tue, 18 Mar 2025 14:12:21 +0000 (UTC) Received: from localhost.localdomain (unknown [10.44.34.223]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id DE68B18001F6; Tue, 18 Mar 2025 14:12:18 +0000 (UTC) From: Hans de Goede To: Wentong Wu , Alexander Usyskin , Arnd Bergmann , Greg Kroah-Hartman Cc: Hans de Goede , Sakari Ailus , Stanislaw Gruszka , linux-kernel@vger.kernel.org Subject: [PATCH 2/2] mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type Date: Tue, 18 Mar 2025 15:12:03 +0100 Message-ID: <20250318141203.94342-3-hdegoede@redhat.com> In-Reply-To: <20250318141203.94342-1-hdegoede@redhat.com> References: <20250318141203.94342-1-hdegoede@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" vsc_tp.tx_buf and vsc_tp.rx_buf point to a struct vsc_tp_packet, use the correct type instead of "void *" and use sizeof(*ptr) when allocating memory for these buffers. Signed-off-by: Hans de Goede Reviewed-by: Alexander Usyskin Reviewed-by: Sakari Ailus --- drivers/misc/mei/vsc-tp.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c index fa553d4914b6..da26a080916c 100644 --- a/drivers/misc/mei/vsc-tp.c +++ b/drivers/misc/mei/vsc-tp.c @@ -71,8 +71,8 @@ struct vsc_tp { u32 seq; =20 /* command buffer */ - void *tx_buf; - void *rx_buf; + struct vsc_tp_packet *tx_buf; + struct vsc_tp_packet *rx_buf; =20 atomic_t assert_cnt; wait_queue_head_t xfer_wait; @@ -164,7 +164,7 @@ static int vsc_tp_xfer_helper(struct vsc_tp *tp, struct= vsc_tp_packet *pkt, { int ret, offset =3D 0, cpy_len, src_len, dst_len =3D sizeof(struct vsc_tp= _packet_hdr); int next_xfer_len =3D VSC_TP_PACKET_SIZE(pkt) + VSC_TP_XFER_TIMEOUT_BYTES; - u8 *src, *crc_src, *rx_buf =3D tp->rx_buf; + u8 *src, *crc_src, *rx_buf =3D (u8 *)tp->rx_buf; int count_down =3D VSC_TP_MAX_XFER_COUNT; u32 recv_crc =3D 0, crc =3D ~0; struct vsc_tp_packet_hdr ack; @@ -324,7 +324,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf= , void *ibuf, size_t len) guard(mutex)(&tp->mutex); =20 /* rom xfer is big endian */ - cpu_to_be32_array(tp->tx_buf, obuf, words); + cpu_to_be32_array((u32 *)tp->tx_buf, obuf, words); =20 ret =3D read_poll_timeout(gpiod_get_value_cansleep, ret, !ret, VSC_TP_ROM_XFER_POLL_DELAY_US, @@ -340,7 +340,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf= , void *ibuf, size_t len) return ret; =20 if (ibuf) - be32_to_cpu_array(ibuf, tp->rx_buf, words); + be32_to_cpu_array(ibuf, (u32 *)tp->rx_buf, words); =20 return ret; } @@ -494,11 +494,11 @@ static int vsc_tp_probe(struct spi_device *spi) if (!tp) return -ENOMEM; =20 - tp->tx_buf =3D devm_kzalloc(dev, VSC_TP_MAX_XFER_SIZE, GFP_KERNEL); + tp->tx_buf =3D devm_kzalloc(dev, sizeof(*tp->tx_buf), GFP_KERNEL); if (!tp->tx_buf) return -ENOMEM; =20 - tp->rx_buf =3D devm_kzalloc(dev, VSC_TP_MAX_XFER_SIZE, GFP_KERNEL); + tp->rx_buf =3D devm_kzalloc(dev, sizeof(*tp->rx_buf), GFP_KERNEL); if (!tp->rx_buf) return -ENOMEM; =20 --=20 2.48.1