diff options
author | Kees Cook <keescook@chromium.org> | 2021-12-06 22:34:13 -0800 |
---|---|---|
committer | Mika Westerberg <mika.westerberg@linux.intel.com> | 2021-12-07 15:05:44 +0300 |
commit | 19813551701d004b517534888aa4e2a62ca4488e (patch) | |
tree | 326d4a3d9b24c995ed875c4e8e80fbe049b5e40b /.gitattributes | |
parent | 0fcfb00b28c0b7884635dacf38e46d60bf3d4eb1 (diff) | |
download | linux-19813551701d004b517534888aa4e2a62ca4488e.tar.bz2 |
thunderbolt: xdomain: Avoid potential stack OOB read
tb_xdp_properties_changed_request() was calling tb_xdp_handle_error() with
a struct tb_xdp_properties_changed_response on the stack, which does not
have the "error" field present when cast to struct tb_xdp_error_response.
This was detected when building with -Warray-bounds:
drivers/thunderbolt/xdomain.c: In function 'tb_xdomain_properties_changed':
drivers/thunderbolt/xdomain.c:226:22: error: array subscript 'const struct tb_xdp_error_response[0]' is partly outside array bounds of 'struct tb_xdp_properties_changed_response[1]' [-Werror=array-bounds]
226 | switch (error->error) {
| ~~~~~^~~~~~~
drivers/thunderbolt/xdomain.c:448:51: note: while referencing 'res'
448 | struct tb_xdp_properties_changed_response res;
| ^~~
Add union containing struct tb_xdp_error_response to structures passed
to tb_xdp_handle_error(), so that the "error" field will be present.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Diffstat (limited to '.gitattributes')
0 files changed, 0 insertions, 0 deletions