[5.15,019/102] net: chelsio: cxgb4: Avoid potential negative array offset

From: Kees Cook <keescook@chromium.org>

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 1c7ab9cd98b78bef1657a5db7204d8d437e24c94 ]

Using min_t(int, ...) as a potential array index implies to the compiler
that negative offsets should be allowed. This is not the case, though.
Replace "int" with "unsigned int". Fixes the following warning exposed
under future CONFIG_FORTIFY_SOURCE improvements:

In file included from include/linux/string.h:253,
                 from include/linux/bitmap.h:11,
                 from include/linux/cpumask.h:12,
                 from include/linux/smp.h:13,
                 from include/linux/lockdep.h:14,
                 from include/linux/rcupdate.h:29,
                 from include/linux/rculist.h:11,
                 from include/linux/pid.h:5,
                 from include/linux/sched.h:14,
                 from include/linux/delay.h:23,
                 from drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:35:
drivers/net/ethernet/chelsio/cxgb4/t4_hw.c: In function 't4_get_raw_vpd_params':
include/linux/fortify-string.h:46:33: warning: '__builtin_memcpy' pointer overflow between offset 29 and size [2147483648, 4294967295] [-Warray-bounds]
   46 | #define __underlying_memcpy     __builtin_memcpy
      |                                 ^
include/linux/fortify-string.h:388:9: note: in expansion of macro '__underlying_memcpy'
  388 |         __underlying_##op(p, q, __fortify_size);                        \
      |         ^~~~~~~~~~~~~
include/linux/fortify-string.h:433:26: note: in expansion of macro '__fortify_memcpy_chk'
  433 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
      |                          ^~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:2796:9: note: in expansion of macro 'memcpy'
 2796 |         memcpy(p->id, vpd + id, min_t(int, id_len, ID_LEN));
      |         ^~~~~~
include/linux/fortify-string.h:46:33: warning: '__builtin_memcpy' pointer overflow between offset 0 and size [2147483648, 4294967295] [-Warray-bounds]
   46 | #define __underlying_memcpy     __builtin_memcpy
      |                                 ^
include/linux/fortify-string.h:388:9: note: in expansion of macro '__underlying_memcpy'
  388 |         __underlying_##op(p, q, __fortify_size);                        \
      |         ^~~~~~~~~~~~~
include/linux/fortify-string.h:433:26: note: in expansion of macro '__fortify_memcpy_chk'
  433 | #define memcpy(p, q, s)  __fortify_memcpy_chk(p, q, s,                  \
      |                          ^~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:2798:9: note: in expansion of macro 'memcpy'
 2798 |         memcpy(p->sn, vpd + sn, min_t(int, sn_len, SERNUM_LEN));
      |         ^~~~~~

Additionally remove needless cast from u8[] to char * in last strim()
call.

Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/lkml/202205031926.FVP7epJM-lkp@intel.com
Fixes: fc9279298e3a ("cxgb4: Search VPD with pci_vpd_find_ro_info_keyword()")
Fixes: 24c521f81c30 ("cxgb4: Use pci_vpd_find_id_string() to find VPD ID string")
Cc: Raju Rangoju <rajur@chelsio.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220505233101.1224230-1-keescook@chromium.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Message ID	20220516193624.550839514@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, kernel test robot <lkp@intel.com>, Raju Rangoju <rajur@chelsio.com>, Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>, Kees Cook <keescook@chromium.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.15 019/102] net: chelsio: cxgb4: Avoid potential negative array offset Date: Mon, 16 May 2022 21:35:53 +0200 Message-Id: <20220516193624.550839514@linuxfoundation.org> In-Reply-To: <20220516193623.989270214@linuxfoundation.org> References: <20220516193623.989270214@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.15,002/102] iwlwifi: iwl-dbg: Use del_timer_sync() before freeing [5.15,003/102] hwmon: (tmp401) Add OF device ID table [5.15,004/102] mac80211: Reset MBSSID parameters upon connection [5.15,005/102] net: Fix features skip in for_each_netdev_feature() [5.15,006/102] net: mscc: ocelot: fix last VCAP IS1/IS2 filter persisting in hardware when deleted [5.15,007/102] net: mscc: ocelot: fix VCAP IS2 filters matching on both lookups [5.15,008/102] net: mscc: ocelot: restrict tc-trap actions to VCAP IS2 lookup 0 [5.15,009/102] net: mscc: ocelot: avoid corrupting hardware counters when moving VCAP filters [5.15,010/102] fbdev: simplefb: Cleanup fb_info in .fb_destroy rather than .remove [5.15,011/102] fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove [5.15,012/102] fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove [5.15,013/102] platform/surface: aggregator: Fix initialization order when compiling as builtin m... [5.15,014/102] ice: Fix race during aux device (un)plugging [5.15,015/102] ice: fix PTP stale Tx timestamps cleanup [5.15,016/102] ipv4: drop dst in multicast routing path [5.15,017/102] drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name() [5.15,018/102] netlink: do not reset transport header in netlink_recvmsg() [5.15,019/102] net: chelsio: cxgb4: Avoid potential negative array offset [5.15,020/102] fbdev: efifb: Fix a use-after-free due early fb_info cleanup [5.15,021/102] sfc: Use swap() instead of open coding it [5.15,022/102] net: sfc: fix memory leak due to ptp channel [5.15,023/102] mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection [5.15,024/102] nfs: fix broken handling of the softreval mount option [5.15,025/102] ionic: fix missing pci_release_regions() on error in ionic_probe() [5.15,026/102] dim: initialize all struct fields [5.15,027/102] hwmon: (ltq-cputemp) restrict it to SOC_XWAY [5.15,028/102] procfs: prevent unprivileged processes accessing fdinfo dir [5.15,029/102] selftests: vm: Makefile: rename TARGETS to VMTARGETS [5.15,030/102] arm64: vdso: fix makefile dependency on vdso.so [5.15,031/102] virtio: fix virtio transitional ids [5.15,032/102] s390/ctcm: fix variable dereferenced before check [5.15,033/102] s390/ctcm: fix potential memory leak [5.15,034/102] s390/lcs: fix variable dereferenced before check [5.15,035/102] net/sched: act_pedit: really ensure the skb is writable [5.15,036/102] net: ethernet: mediatek: ppe: fix wrong size passed to memset() [5.15,037/102] net: bcmgenet: Check for Wake-on-LAN interrupt probe deferral [5.15,038/102] drm/vc4: hdmi: Fix build error for implicit function declaration [5.15,039/102] net: dsa: bcm_sf2: Fix Wake-on-LAN with mac_link_down() [5.15,040/102] net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending [5.15,041/102] net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() [5.15,042/102] tls: Fix context leak on tls_device_down [5.15,043/102] drm/vmwgfx: Fix fencing on SVGAv3 [5.15,044/102] gfs2: Fix filesystem block deallocation for short writes [5.15,045/102] hwmon: (f71882fg) Fix negative temperature [5.15,046/102] RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() [5.15,047/102] iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu [5.15,048/102] ASoC: max98090: Reject invalid values in custom control put() [5.15,049/102] ASoC: max98090: Generate notifications on changes for custom control [5.15,050/102] ASoC: ops: Validate input values in snd_soc_put_volsw_range() [5.15,051/102] s390: disable -Warray-bounds [5.15,052/102] ASoC: SOF: Fix NULL pointer exception in sof_pci_probe callback [5.15,053/102] net: emaclite: Dont advertise 1000BASE-T and do auto negotiation [5.15,054/102] net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT [5.15,055/102] secure_seq: use the 64 bits of the siphash for port offset calculation [5.15,056/102] tcp: use different parts of the port_offset for index and offset [5.15,057/102] tcp: resalt the secret every 10 seconds [5.15,058/102] tcp: add small random increments to the source port [5.15,059/102] tcp: dynamically allocate the perturb table used by source ports [5.15,060/102] tcp: increase source port perturb table to 2^16 [5.15,061/102] tcp: drop the hash_32() part from the index calculation [5.15,062/102] interconnect: Restore sync state by ignoring ipa-virt in provider count [5.15,063/102] firmware_loader: use kernel credentials when reading firmware [5.15,064/102] KVM: PPC: Book3S PR: Enable MSR_DR for switch_mmu_context() [5.15,065/102] usb: xhci-mtk: fix fs isocs transfer error [5.15,066/102] x86/mm: Fix marking of unused sub-pmd ranges [5.15,067/102] tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() [5.15,068/102] tty: n_gsm: fix buffer over-read in gsm_dlci_data() [5.15,069/102] tty: n_gsm: fix mux activation issues in gsm_config() [5.15,070/102] usb: cdc-wdm: fix reading stuck on device close [5.15,071/102] usb: typec: tcpci: Dont skip cleanup in .remove() on error [5.15,072/102] usb: typec: tcpci_mt6360: Update for BMC PHY setting [5.15,073/102] USB: serial: pl2303: add device id for HP LM930 Display [5.15,074/102] USB: serial: qcserial: add support for Sierra Wireless EM7590 [5.15,075/102] USB: serial: option: add Fibocom L610 modem [5.15,076/102] USB: serial: option: add Fibocom MA510 modem [5.15,077/102] slimbus: qcom: Fix IRQ check in qcom_slim_probe [5.15,078/102] fsl_lpuart: Dont enable interrupts too early [5.15,079/102] serial: 8250_mtk: Fix UART_EFR register address [5.15,080/102] serial: 8250_mtk: Fix register address for XON/XOFF character [5.15,081/102] ceph: fix setting of xattrs on async created inodes [5.15,082/102] Revert "mm/memory-failure.c: skip huge_zero_page in memory_failure()" [5.15,083/102] mm/huge_memory: do not overkill when splitting huge_zero_page [5.15,084/102] drm/vmwgfx: Disable command buffers on svga3 without gbobjects [5.15,085/102] drm/nouveau/tegra: Stop using iommu_present() [5.15,086/102] i40e: i40e_main: fix a missing check on list iterator [5.15,087/102] net: atlantic: always deep reset on pm op, fixing up my null deref regression [5.15,088/102] net: phy: Fix race condition on link status change [5.15,089/102] writeback: Avoid skipping inode writeback [5.15,090/102] cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() [5.15,091/102] arm[64]/memremap: dont abuse pfn_valid() to ensure presence of linear map [5.15,092/102] net: phy: micrel: Do not use kszphy_suspend/resume for KSZ8061 [5.15,093/102] net: phy: micrel: Pass .probe for KS8737 [5.15,094/102] SUNRPC: Ensure that the gssproxy client can start in a connected state [5.15,095/102] drm/vmwgfx: Initialize drm_mode_fb_cmd2 [5.15,096/102] Revert "drm/amd/pm: keep the BACO feature enabled for suspend" [5.15,097/102] dma-buf: call dma_buf_stats_setup after dmabuf is in valid list [5.15,098/102] mm/hwpoison: use pr_err() instead of dump_page() in get_any_page() [5.15,099/102] SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() [5.15,100/102] ping: fix address binding wrt vrf [5.15,101/102] usb: gadget: uvc: rename function to be more consistent [5.15,102/102] usb: gadget: uvc: allow for application to cleanly shutdown

[5.15,019/102] net: chelsio: cxgb4: Avoid potential negative array offset

Commit Message

Patch