Message ID | 20211207062941.2413679-1-keescook@chromium.org (mailing list archive) |
---|---|
State | Mainlined |
Commit | c7d58971dbea0888b6328ed0ea61089a6d62253a |
Headers | show |
Series | ALSA: mixart: Reduce size of mixart_timer_notify | expand |
On Tue, 07 Dec 2021 07:29:41 +0100, Kees Cook wrote: > > The mixart_timer_notify structure was larger than could be represented > by the mixart_msg_data array storage. Adjust the size to as large as > possible to fix the warning seen with -Warray-bounds builds: > > sound/pci/mixart/mixart_core.c: In function 'snd_mixart_threaded_irq': > sound/pci/mixart/mixart_core.c:447:50: error: array subscript 'struct mixart_timer_notify[0]' is partly outside array bounds of 'u32[128]' {aka 'unsigned int[128]'} [-Werror=array-bounds] > 447 | for(i=0; i<notify->stream_count; i++) { > | ^~ > sound/pci/mixart/mixart_core.c:328:12: note: while referencing 'mixart_msg_data' > 328 | static u32 mixart_msg_data[MSG_DEFAULT_SIZE / 4]; > | ^~~~~~~~~~~~~~~ > > Signed-off-by: Kees Cook <keescook@chromium.org> Thanks, applied now. > @@ -444,6 +442,7 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id) > struct mixart_timer_notify *notify; > notify = (struct mixart_timer_notify *)mixart_msg_data; > > + BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data)); > for(i=0; i<notify->stream_count; i++) { > > u32 buffer_id = notify->streams[i].buffer_id; I guess we should add the array boundary check of notify->stream_count, instead of fully relying on the hardware reply, too. Will submit the additional check. Takashi
diff --git a/sound/pci/mixart/mixart_core.c b/sound/pci/mixart/mixart_core.c index fb8895af0363..853083dd4bad 100644 --- a/sound/pci/mixart/mixart_core.c +++ b/sound/pci/mixart/mixart_core.c @@ -23,8 +23,6 @@ #define MSG_DESCRIPTOR_SIZE 0x24 #define MSG_HEADER_SIZE (MSG_DESCRIPTOR_SIZE + 4) -#define MSG_DEFAULT_SIZE 512 - #define MSG_TYPE_MASK 0x00000003 /* mask for following types */ #define MSG_TYPE_NOTIFY 0 /* embedded -> driver (only notification, do not get_msg() !) */ #define MSG_TYPE_COMMAND 1 /* driver <-> embedded (a command has no answer) */ @@ -444,6 +442,7 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id) struct mixart_timer_notify *notify; notify = (struct mixart_timer_notify *)mixart_msg_data; + BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data)); for(i=0; i<notify->stream_count; i++) { u32 buffer_id = notify->streams[i].buffer_id; diff --git a/sound/pci/mixart/mixart_core.h b/sound/pci/mixart/mixart_core.h index fbf4731a276d..2f0e29ed5d63 100644 --- a/sound/pci/mixart/mixart_core.h +++ b/sound/pci/mixart/mixart_core.h @@ -49,6 +49,7 @@ enum mixart_message_id { MSG_CLOCK_SET_PROPERTIES = 0x200002, }; +#define MSG_DEFAULT_SIZE 512 struct mixart_msg { @@ -251,10 +252,17 @@ struct mixart_sample_pos u32 sample_pos_low_part; } __attribute__((packed)); +/* + * This structure is limited by the size of MSG_DEFAULT_SIZE. Instead of + * having MIXART_MAX_STREAM_PER_CARD * MIXART_MAX_CARDS many streams, + * this is capped to have a total size below MSG_DEFAULT_SIZE. + */ +#define MIXART_MAX_TIMER_NOTIFY_STREAMS \ + ((MSG_DEFAULT_SIZE - sizeof(u32)) / sizeof(struct mixart_sample_pos)) struct mixart_timer_notify { u32 stream_count; - struct mixart_sample_pos streams[MIXART_MAX_STREAM_PER_CARD * MIXART_MAX_CARDS]; + struct mixart_sample_pos streams[MIXART_MAX_TIMER_NOTIFY_STREAMS]; } __attribute__((packed));
The mixart_timer_notify structure was larger than could be represented by the mixart_msg_data array storage. Adjust the size to as large as possible to fix the warning seen with -Warray-bounds builds: sound/pci/mixart/mixart_core.c: In function 'snd_mixart_threaded_irq': sound/pci/mixart/mixart_core.c:447:50: error: array subscript 'struct mixart_timer_notify[0]' is partly outside array bounds of 'u32[128]' {aka 'unsigned int[128]'} [-Werror=array-bounds] 447 | for(i=0; i<notify->stream_count; i++) { | ^~ sound/pci/mixart/mixart_core.c:328:12: note: while referencing 'mixart_msg_data' 328 | static u32 mixart_msg_data[MSG_DEFAULT_SIZE / 4]; | ^~~~~~~~~~~~~~~ Signed-off-by: Kees Cook <keescook@chromium.org> --- sound/pci/mixart/mixart_core.c | 3 +-- sound/pci/mixart/mixart_core.h | 10 +++++++++- 2 files changed, 10 insertions(+), 3 deletions(-)