From patchwork Sun Jan 3 17:07:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1421892 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmx.de Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=MJ/Cf76D; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4D84w36nq3z9sVq for ; Mon, 4 Jan 2021 04:08:13 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B274B80829; Sun, 3 Jan 2021 18:08:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="MJ/Cf76D"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8FE278232D; Sun, 3 Jan 2021 18:08:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 80B97801D8 for ; Sun, 3 Jan 2021 18:08:01 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1609693677; bh=laE0JtjGnsc4gN6h2XrN3nE8Ct3dbggdwYeeoRCzpRI=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=MJ/Cf76D+ELmpA28XKy+kln5cLrzj45O4T8EmzPcvHoxzpXyIhm3mMPTyST1W8uRL ZUPp9Q4MOT8wzwpCLWZt72YriobQ0L5GRcNoYiSLf+PwWGhbFpQrWdEfpN8uH8W8yc 7bX6jEqAwcQM6aDspNLVWlGrOummMWIa0hwF7dJo= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([62.143.246.89]) by mail.gmx.com (mrgmx104 [212.227.17.174]) with ESMTPSA (Nemesis) id 1Md6R1-1kN39i1Ex9-00aI29; Sun, 03 Jan 2021 18:07:57 +0100 From: Heinrich Schuchardt To: Michal Simek Cc: u-boot@lists.denx.de, Heinrich Schuchardt Subject: [PATCH 1/1] fru: ops: avoid out of bounds access Date: Sun, 3 Jan 2021 18:07:53 +0100 Message-Id: <20210103170753.148349-1-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 X-Provags-ID: V03:K1:9Cr3K/vnHDUWaZsH+p9bkx/GfkMP5znk9ejYHfU8VavvtRKSn9J 1u5V/sovi4b5pu/aoTrEr9Y0HWB5ZpNcVKRZcqqOOkUt99PFFlVyLmD5r95a7gsGWc3nLHo 99/DxabJ/Y18jAvvUD4mDiuFMNWrvNm7ngp7CS6mUOIs+uAXWVf8b30juO38DPQQgmeMpxb gE7lliN4vVW0vrgJN8Qiw== X-UI-Out-Filterresults: notjunk:1;V03:K0:b8KAy8K/t7E=:Uev13X0ijFkjX5PU7M1OBT +SMVJEs63pJ0TaMuLYmSg3sdJvlNqanzc1tHUkCp2dWhOgO4tdIZV4zWM8ataEsuU8A6De7O1 ibiVC7xQaof8XvWskSP8YclJKXdxC21dEYzlZerWNIsHah+5n5xlZzdJ9swEEx3rNal46DcuB 3JM+ZbYQaZu8sE7/Nd04D4LajrvD0UygCdIfhocAz9pFCCa7OaJmxKDg4WsvJPX7GcELjF6y1 8abeaJGyYzBS//5hM6qyBOgPoXika+cA3X+CRI8t0WtdTQBwnyP+gwDwjEAlU4DUDotn2F2qh 8qrsgDLZeg0jg78ypI6oyfDfL/Kp3Cvy0QxEyCjQbE12wV7cv3k0DBkrIhEpNCQYHORAL5d92 p7u5RTDGZ0hlSQ3fR9lFpORW6dRZM+IXRTxBnPwg7j6QCOONbJzQkQ3r1xlk77jQyc07/jV2Y lMKTbeud29VxypJmQFFcjv2lN99WHggjdGnpFUmh07fmu4e8qxbQCKq/BRUfTHBijZ/Ezmjel gwyyoksic2/S7S6J7YIBUnU2PC8LtQigJ6HB67eBhwNfpkJHSygDaoCpBzXmFbHeZy7VDHtht Ba1xAA2OO9z7Qrbqs2i69lYLIrRfcKo0hfHA9MSvA2NjvnY2j7E1DeEvDQZDMhkxttppwpC1u JB9/XvQjmfNPDhotmVOeqzNa5RTnjVi0gdjaBzrSh+KfyeR3yxDpg0t0R3sSoyjtfuPZRmv4j 9iAn/eCKJZN53VLIdbpM1aDdeaUh5d72bWweNWHMSFoHG11s/Ir57pLRry5Iv4+pA6a/v4mwF IqdxK1W9C2pJIh79GvPS4jCNi0K5Q54sJLWTa1p+LXk9ulla3eWcvQw3vCFs6Trk0hnepQ671 dMrf11sXO8AJmTMmJG5A== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Building xilinx_zynq_virt_defconfig fails on origin/next as reported by GCC 10.2 (as provided by Debian Bullseye): CC board/xilinx/common/fru_ops.o board/xilinx/common/fru_ops.c: In function ‘fru_capture’: board/xilinx/common/fru_ops.c:173:8: error: array subscript 284 is outside array bounds of ‘struct fru_table[1]’ [-Werror=array-bounds] 173 | limit = data + sizeof(struct fru_board_data); | ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ board/xilinx/common/fru_ops.c:17:18: note: while referencing ‘fru_data’ 17 | struct fru_table fru_data __section(.data); | ^~~~~~~~ When using sizeof(struct fru_board_data) to find the end of the structure you should add it to the start of the structure. Signed-off-by: Heinrich Schuchardt --- board/xilinx/common/fru_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.29.2 diff --git a/board/xilinx/common/fru_ops.c b/board/xilinx/common/fru_ops.c index b4cd3d4998..44f0913f2e 100644 --- a/board/xilinx/common/fru_ops.c +++ b/board/xilinx/common/fru_ops.c @@ -170,7 +170,7 @@ static int fru_parse_board(unsigned long addr) data = (u8 *)&fru_data.brd.manufacturer_type_len; /* Record max structure limit not to write data over allocated space */ - limit = data + sizeof(struct fru_board_data); + limit = (u8 *)&fru_data.brd + sizeof(struct fru_board_data); for (i = 0; ; i++, data += FRU_BOARD_MAX_LEN) { len = fru_check_type_len(*(u8 *)addr, fru_data.brd.lang_code,