From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
To: Hans de Goede <hdegoede@redhat.com>
Cc: Linux Media Mailing List <linux-media@vger.kernel.org>
Subject: [PATCH] media: atomisp: fix 'read beyond size of field'
Date: Tue, 26 Sep 2023 11:27:09 +0200 [thread overview]
Message-ID: <d102a389-af14-45fd-a304-d2458c06cca3@xs4all.nl> (raw)
If CONFIG_FORTIFY_SOURCE=y, then this warning is produced:
In file included from ./include/linux/string.h:254,
from ./include/linux/bitmap.h:11,
from ./include/linux/cpumask.h:12,
from ./arch/x86/include/asm/cpumask.h:5,
from ./arch/x86/include/asm/msr.h:11,
from ./arch/x86/include/asm/processor.h:23,
from ./arch/x86/include/asm/cpufeature.h:5,
from ./arch/x86/include/asm/thread_info.h:53,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:9,
from ./include/linux/preempt.h:79,
from ./include/linux/spinlock.h:56,
from ./include/linux/mmzone.h:8,
from ./include/linux/gfp.h:7,
from ./include/linux/slab.h:16,
from ./drivers/staging/media/atomisp//include/hmm/hmm.h:26,
from drivers/staging/media/atomisp/pci/sh_css_params.c:26:
In function ‘fortify_memcpy_chk’,
inlined from ‘sh_css_store_sp_group_to_ddr’ at drivers/staging/media/atomisp/pci/sh_css_params.c:3736:3:
./include/linux/fortify-string.h:592:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()?
[-Wattribute-warning]
592 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The reason is that the memcpy copies two fields (each a u8), when the source
pointer points to the first field. It's a bit unexpected, so just make this
explicit.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
---
Hans, can you verify that it is indeed the intention of the original code
to write both bytes?
Note that I think that the initial memcpy is equally dubious. I think that
should be replaced by '*buf_ptr++ = ...' lines as well, rather than just
copying the first three fields with a memcpy. If you want I can make a v2
that does that.
---
diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
index 5667e855da76..232744973ab8 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
@@ -3733,8 +3733,8 @@ ia_css_ptr sh_css_store_sp_group_to_ddr(void)
if (IS_ISP2401) {
memcpy(buf_ptr, &sh_css_sp_group.config, 3);
buf_ptr += 3;
- memcpy(buf_ptr, &sh_css_sp_group.config.enable_isys_event_queue, 2);
- buf_ptr += 2;
+ *buf_ptr++ = sh_css_sp_group.config.enable_isys_event_queue;
+ *buf_ptr++ = sh_css_sp_group.config.disable_cont_vf;
memset(buf_ptr, 0, 3);
buf_ptr += 3; /* Padding 3 bytes for struct sh_css_sp_config*/
} else {
next reply other threads:[~2023-09-26 9:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-26 9:27 Hans Verkuil [this message]
2023-09-26 9:52 ` [PATCH] media: atomisp: fix 'read beyond size of field' Hans de Goede
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d102a389-af14-45fd-a304-d2458c06cca3@xs4all.nl \
--to=hverkuil-cisco@xs4all.nl \
--cc=hdegoede@redhat.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.