[openwrt/openwrt] ltq-vdsl-vr11-mei: fix field-spanning write warning
LEDE Commits
lede-commits at lists.infradead.org
Sat Feb 22 10:54:03 PST 2025
hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/6df4e4663b9e2b41b320630681b7692e0d3f8861
commit 6df4e4663b9e2b41b320630681b7692e0d3f8861
Author: Jan Hoffmann <jan at 3e8.eu>
AuthorDate: Thu Feb 6 23:54:24 2025 +0100
ltq-vdsl-vr11-mei: fix field-spanning write warning
Since the update to kernel 6.1, a warning like this appears in the
kernel log:
[ 49.773953] ------------[ cut here ]------------
[ 49.773998] WARNING: CPU: 3 PID: 2349 at target-arm_cortex-a7+neon-vfpv4_musl_eabi/linux-ipq40xx_generic/dsl_cpe_mei-ugw_8.5.2.10/src/drv_mei_cpe_msg_process.c:3570 MEI_IoctlCmdMsgWrite+0x290/0x2c8 [drv_mei_cpe]
[ 49.777670] memcpy: detected field-spanning write (size 4) of single field "pDestPtr" at target-arm_cortex-a7+neon-vfpv4_musl_eabi/linux-ipq40xx_generic/dsl_cpe_mei-ugw_8.5.2.10/src/drv_mei_cpe_msg_process.c:3570 (size 2)
...
[ 50.087078] ---[ end trace 0000000000000000 ]---
The variable "pDestPtr" points to the field "header.index" in a
CMV_STD_MESSAGE_T struct (header is a CMV_STD_MESSAGE_HEADER_T struct).
The offending code intentionally copies data beyond this field, which is
followed by "header.length" and "payload".
To fix this, change the assignment of "pDestPtr" to use the pointer to
the message plus the offset of the "header.index" field. This way, the
compiler knows about the size and thus the false positive warning
disappears.
While at it, also adjust all places where similar code is used to copy
from a CMV_STD_MESSAGE_T struct.
Also mark all related structs as packed, because the code (and the
driver in general) seems to rely on that anyway.
Fixes: https://github.com/openwrt/openwrt/issues/17142
Signed-off-by: Jan Hoffmann <jan at 3e8.eu>
Link: https://patchwork.ozlabs.org/project/openwrt/patch/20250206225444.2521817-1-jan@3e8.eu/
Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
package/kernel/lantiq/ltq-vdsl-vr11-mei/Makefile | 2 +-
...x-field-spanning-write-mei-mailbox-packed.patch | 179 +++++++++++++++++++++
2 files changed, 180 insertions(+), 1 deletion(-)
diff --git a/package/kernel/lantiq/ltq-vdsl-vr11-mei/Makefile b/package/kernel/lantiq/ltq-vdsl-vr11-mei/Makefile
index 3e01ee6373..b91854558e 100644
--- a/package/kernel/lantiq/ltq-vdsl-vr11-mei/Makefile
+++ b/package/kernel/lantiq/ltq-vdsl-vr11-mei/Makefile
@@ -9,7 +9,7 @@ include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=ltq-vdsl-vr11-mei
PKG_VERSION:=1.11.1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_BASE_NAME:=dsl_cpe_mei
UGW_VERSION=8.5.2.10
diff --git a/package/kernel/lantiq/ltq-vdsl-vr11-mei/patches/131-fix-field-spanning-write-mei-mailbox-packed.patch b/package/kernel/lantiq/ltq-vdsl-vr11-mei/patches/131-fix-field-spanning-write-mei-mailbox-packed.patch
new file mode 100644
index 0000000000..202a7d63f8
--- /dev/null
+++ b/package/kernel/lantiq/ltq-vdsl-vr11-mei/patches/131-fix-field-spanning-write-mei-mailbox-packed.patch
@@ -0,0 +1,179 @@
+--- a/src/cmv_message_format.h
++++ b/src/cmv_message_format.h
+@@ -308,7 +308,7 @@ typedef struct cmv_std_message_header_s
+ unsigned short index;
+ /** CMV length */
+ unsigned short length;
+-} CMV_STD_MESSAGE_HEADER_T;
++} __attribute__((packed)) CMV_STD_MESSAGE_HEADER_T;
+
+ /**
+ CMV payload paramaters (8, 16, 32 Bit)
+@@ -318,7 +318,7 @@ typedef union cmv_std_message_payload_s
+ unsigned char params_8Bit[CMV_USED_PAYLOAD_8BIT_SIZE];
+ unsigned short params_16Bit[CMV_USED_PAYLOAD_16BIT_SIZE];
+ unsigned int params_32Bit[CMV_USED_PAYLOAD_32BIT_SIZE];
+-} CMV_STD_MESSAGE_PAYLOAD_T;
++} __attribute__((packed)) CMV_STD_MESSAGE_PAYLOAD_T;
+
+ /**
+ CMV Standard message.
+@@ -327,7 +327,7 @@ typedef struct cmv_std_message_s
+ {
+ CMV_STD_MESSAGE_HEADER_T header;
+ CMV_STD_MESSAGE_PAYLOAD_T payload;
+-} CMV_STD_MESSAGE_T;
++} __attribute__((packed)) CMV_STD_MESSAGE_T;
+
+
+ /* ============================================================================
+@@ -341,7 +341,7 @@ typedef struct cmv_message_modem_rdy_s
+ {
+ CMV_STD_MESSAGE_HEADER_T header;
+ CMV_STD_MESSAGE_PAYLOAD_T modemRdyParams;
+-} CMV_MESSAGE_MODEM_RDY_T;
++} __attribute__((packed)) CMV_MESSAGE_MODEM_RDY_T;
+
+
+ /* ============================================================================
+@@ -358,7 +358,7 @@ typedef struct cmv_message_modem_rdy_s
+ typedef struct cmv_message_cs_static_params_s
+ {
+ unsigned short pageIdx[MEI_CMV_CODESWAP_MAX_PAGES];
+-} CMV_MESSAGE_CS_STATIC_PARAMS_T;
++} __attribute__((packed)) CMV_MESSAGE_CS_STATIC_PARAMS_T;
+
+
+ typedef struct cmv_dyn_codeswap_page_info_s
+@@ -366,7 +366,7 @@ typedef struct cmv_dyn_codeswap_page_inf
+ unsigned short pageIdx;
+ unsigned short h_destAddr;
+ unsigned short l_destAddr;
+-} CMV_DYN_CODESWAP_PAGE_INFO_T;
++} __attribute__((packed)) CMV_DYN_CODESWAP_PAGE_INFO_T;
+
+ /**
+ CMV codeswap message payload (dynamic).
+@@ -374,7 +374,7 @@ typedef struct cmv_dyn_codeswap_page_inf
+ typedef struct cmv_message_cs_dyn_params_s
+ {
+ CMV_DYN_CODESWAP_PAGE_INFO_T pageInfo[MEI_CMV_CODESWAP_MAX_PAGES];
+-} CMV_MESSAGE_CS_DYN_PARAMS_T;
++} __attribute__((packed)) CMV_MESSAGE_CS_DYN_PARAMS_T;
+
+
+ /**
+@@ -388,7 +388,7 @@ typedef struct cmv_message_cs_s
+ CMV_MESSAGE_CS_STATIC_PARAMS_T csStaticParams;
+ CMV_MESSAGE_CS_DYN_PARAMS_T csDynParams;
+ } params;
+-} CMV_MESSAGE_CS_T;
++} __attribute__((packed)) CMV_MESSAGE_CS_T;
+
+ /* ============================================================================
+ CMV Fast Read request message definitions
+@@ -406,7 +406,7 @@ typedef struct cmv_fast_read_params_s
+ unsigned short addrMSW;
+ unsigned short addrLSW;
+ unsigned short size_16bit;
+-} CMV_FAST_READ_PARAMS_T;
++} __attribute__((packed)) CMV_FAST_READ_PARAMS_T;
+
+ /**
+ CMV fast read message payload.
+@@ -414,7 +414,7 @@ typedef struct cmv_fast_read_params_s
+ typedef struct cmv_message_fast_rd_params_s
+ {
+ unsigned short fastRdpage[MEI_CMV_FAST_READ_MAX_PAGES];
+-} CMV_MESSAGE_FAST_RD_PARAMS_T;
++} __attribute__((packed)) CMV_MESSAGE_FAST_RD_PARAMS_T;
+
+ /**
+ CMV codeswap message.
+@@ -423,7 +423,7 @@ typedef struct cmv_message_fast_rd_s
+ {
+ CMV_STD_MESSAGE_HEADER_T header;
+ CMV_MESSAGE_FAST_RD_PARAMS_T fastRdParams;
+-} CMV_MESSAGE_FAST_RD_T;
++} __attribute__((packed)) CMV_MESSAGE_FAST_RD_T;
+
+ /**
+ CMV messages
+@@ -435,7 +435,7 @@ typedef union cmv_message_all_s
+ CMV_MESSAGE_CS_T codeSwap;
+ CMV_MESSAGE_FAST_RD_T fastRd;
+ unsigned short rawMsg[CMV_HEADER_16BIT_SIZE + CMV_USED_PAYLOAD_16BIT_SIZE];
+-} CMV_MESSAGE_ALL_T;
++} __attribute__((packed)) CMV_MESSAGE_ALL_T;
+
+
+
+--- a/src/drv_mei_cpe_mailbox.h
++++ b/src/drv_mei_cpe_mailbox.h
+@@ -202,7 +202,7 @@ typedef union MEI_cmv_mailbox_s
+ CMV_MESSAGE_CS_T codeSwap;
+ /** CMV Fast Read message */
+ CMV_MESSAGE_FAST_RD_T fastRd;
+-} MEI_CMV_MAILBOX_T;
++} __attribute__((packed)) MEI_CMV_MAILBOX_T;
+
+
+ /**
+@@ -211,7 +211,7 @@ typedef union MEI_cmv_mailbox_s
+ typedef struct MEI_mei_mailbox_raw_s
+ {
+ IFX_uint16_t rawMsg[CMV_HEADER_16BIT_SIZE + CMV_USED_PAYLOAD_16BIT_SIZE];
+-} MEI_MEI_MAILBOX_RAW_T;
++} __attribute__((packed)) MEI_MEI_MAILBOX_RAW_T;
+
+
+ /**
+@@ -223,7 +223,7 @@ typedef union MEI_mei_mailbox_s
+ MEI_MEI_MAILBOX_RAW_T mbRaw;
+ /** CMV message type */
+ MEI_CMV_MAILBOX_T mbCmv;
+-} MEI_MEI_MAILBOX_T;
++} __attribute__((packed)) MEI_MEI_MAILBOX_T;
+
+
+ #ifdef __cplusplus
+--- a/src/drv_mei_cpe_msg_process.c
++++ b/src/drv_mei_cpe_msg_process.c
+@@ -2215,7 +2215,7 @@ MEI_STATIC IFX_int32_t MEI_ModemNfcRead(
+ Return IFX/modem message
+ - index and length fields becomes part of the appl. payload
+ */
+- pSource = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pSource = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ /* size field contains number of 16 bit payload elements of the message */
+ paylSize_byte = (CMV_MSGHDR_PAYLOAD_SIZE_GET(pMailbox->mbCmv.cmv)) << CMV_MSG_BIT_SIZE_16BIT;
+@@ -3551,7 +3551,7 @@ IFX_int32_t MEI_IoctlCmdMsgWrite(
+ */
+ cmvMbSize = CMV_HEADER_8BIT_SIZE +
+ pUserMsg->paylSize_byte - (sizeof(IFX_uint16_t) * 2);
+- pDestPtr = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pDestPtr = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ if ( cmvMbSize > (int)(sizeof(MEI_CMV_MAILBOX_T)) )
+ {
+@@ -3665,7 +3665,7 @@ IFX_int32_t MEI_IoctlAckMsgRead(
+ Return IFX/modem message
+ - index and length fields becomes part of the appl. payload
+ */
+- pSource = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pSource = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ /* size field contains number of 16 bit payload elements of the message */
+ paylSize_byte = (CMV_MSGHDR_PAYLOAD_SIZE_GET(pMailbox->mbCmv.cmv)) << CMV_MSG_BIT_SIZE_16BIT;
+--- a/src/drv_mei_cpe_msg_process_ar9.c
++++ b/src/drv_mei_cpe_msg_process_ar9.c
+@@ -1385,7 +1385,7 @@ MEI_STATIC IFX_int32_t MEI_ModemNfcRead(
+ Return IFX/modem message
+ - index and length fields becomes part of the appl. payload
+ */
+- pSource = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pSource = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ /* size field contains number of 16 bit payload elements of the message */
+ paylSize_byte = (CMV_MSGHDR_PAYLOAD_SIZE_GET(pMailbox->mbCmv.cmv)) << CMV_MSG_BIT_SIZE_16BIT;
More information about the lede-commits
mailing list