git.kernel.dk Git - linux-block.git/commit

author	Kees Cook <keescook@chromium.org>
	Tue, 7 Dec 2021 06:34:13 +0000 (22:34 -0800)
committer	Mika Westerberg <mika.westerberg@linux.intel.com>
	Tue, 7 Dec 2021 12:05:44 +0000 (15:05 +0300)
commit	19813551701d004b517534888aa4e2a62ca4488e
tree	326d4a3d9b24c995ed875c4e8e80fbe049b5e40b	tree \| snapshot
parent	0fcfb00b28c0b7884635dacf38e46d60bf3d4eb1	commit \| diff

thunderbolt: xdomain: Avoid potential stack OOB read

tb_xdp_properties_changed_request() was calling tb_xdp_handle_error() with
a struct tb_xdp_properties_changed_response on the stack, which does not
have the "error" field present when cast to struct tb_xdp_error_response.
This was detected when building with -Warray-bounds:

drivers/thunderbolt/xdomain.c: In function 'tb_xdomain_properties_changed':
drivers/thunderbolt/xdomain.c:226:22: error: array subscript 'const struct tb_xdp_error_response[0]' is partly outside array bounds of 'struct tb_xdp_properties_changed_response[1]' [-Werror=array-bounds]
  226 |         switch (error->error) {
      |                 ~~~~~^~~~~~~
drivers/thunderbolt/xdomain.c:448:51: note: while referencing 'res'
  448 |         struct tb_xdp_properties_changed_response res;
      |                                                   ^~~

Add union containing struct tb_xdp_error_response to structures passed
to tb_xdp_handle_error(), so that the "error" field will be present.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>

drivers/thunderbolt/tb_msgs.h		diff \| blob \| blame \| history
drivers/thunderbolt/xdomain.c		diff \| blob \| blame \| history