On Tue, Apr 21, 2020 at 03:57:22PM +0300, Denis Efremov wrote:
> UBSAN: array-index-out-of-bounds in drivers/block/floppy.c:1521:45
> index 16 is out of range for type 'unsigned char [16]'
> Call Trace:
> ...
> setup_rw_floppy+0x5c3/0x7f0
> floppy_ready+0x2be/0x13b0
> process_one_work+0x2c1/0x5d0
> worker_thread+0x56/0x5e0
> kthread+0x122/0x170
> ret_from_fork+0x35/0x40
>
> >From include/uapi/linux/fd.h:
> struct floppy_raw_cmd {
> ...
> unsigned char cmd_count;
> unsigned char cmd[16];
> unsigned char reply_count;
> unsigned char reply[16];
> ...
> }
>
> This out-of-bounds access is intentional. The command in struct
> floppy_raw_cmd may take up the space initially intended for the reply
> and the reply count. It is needed for long 82078 commands such as
> RESTORE, which takes 17 command bytes. Initial cmd size is not enough
> and since struct setup_rw_floppy is a part of uapi we check that
> cmd_count is in [0:16+1+16] in raw_cmd_copyin().
>
> The patch replaces array subscript with pointer arithetic to suppress
> UBSAN warning.
Urghh. I think the better way would be to use a union that creates
a larger cmd field, or something like:
struct floppy_raw_cmd {
...
u8 buf[34];
#define BUF_CMD_COUNT 0
#define BUF_CMD 1
#define BUF_REPLY_COUNT 17
#define BUF_REPLY 18
and use addressing based on that.
