thunderbolt: xdomain: Avoid potential stack OOB read
tb_xdp_properties_changed_request() was calling tb_xdp_handle_error() with a struct tb_xdp_properties_changed_response on the stack, which does not have the "error" field present when cast to struct tb_xdp_error_response. This was detected when building with -Warray-bounds: drivers/thunderbolt/xdomain.c: In function 'tb_xdomain_properties_changed': drivers/thunderbolt/xdomain.c:226:22: error: array subscript 'const struct tb_xdp_error_response[0]' is partly outside array bounds of 'struct tb_xdp_properties_changed_response[1]' [-Werror=array-bounds] 226 | switch (error->error) { | ~~~~~^~~~~~~ drivers/thunderbolt/xdomain.c:448:51: note: while referencing 'res' 448 | struct tb_xdp_properties_changed_response res; | ^~~ Add union containing struct tb_xdp_error_response to structures passed to tb_xdp_handle_error(), so that the "error" field will be present. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Please register or sign in to comment